RCE in Efwgrp Efw4.x

CVE-2026-44257

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.003 (50.8th percentile) — read the EPSS interpretation.

Affected products

Efwgrp Efw4.x — versions < 4.08.010

Weakness classification (CWE)

CWE-77 — Command Injection

References

security-advisories@github.com (x_refsource_CONFIRM)