[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-44257":6},{"stargazers_count":4,"fetched_at":5},5,"2026-05-13T10:40:20.565Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":52,"aliases":53,"duplicate_of":9,"upstream":54,"downstream":55,"duplicates":56,"related":57,"reserved_at":9,"published_at":58,"modified_at":58,"state":59,"summary":60,"references_raw":67,"kevs":74,"epss":9,"epss_history":75,"metrics":76,"affected":83},"CVE-2026-44257","efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-77","Improper Neutralization of Special Elements used in a Command ('Command Injection')","The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.","weakness","Draft","Class","High",[20,24,28,32,36,40,44,48],{"id":21,"name":22,"techniques":23},"CAPEC-136","LDAP Injection",[],{"id":25,"name":26,"techniques":27},"CAPEC-15","Command Delimiters",[],{"id":29,"name":30,"techniques":31},"CAPEC-183","IMAP/SMTP Command Injection",[],{"id":33,"name":34,"techniques":35},"CAPEC-248","Command Injection",[],{"id":37,"name":38,"techniques":39},"CAPEC-40","Manipulating Writeable Terminal Devices",[],{"id":41,"name":42,"techniques":43},"CAPEC-43","Exploiting Multiple Input Interpretation Layers",[],{"id":45,"name":46,"techniques":47},"CAPEC-75","Manipulating Writeable Configuration Files",[],{"id":49,"name":50,"techniques":51},"CAPEC-76","Manipulating Web Input to File System Calls",[],[],[],[],[],[],[],"2026-05-12T21:06:42.018Z","Received",{"cisa_kev":61,"cisa_ransomware":61,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":62,"severity_score":63,"severity_version":64,"severity_source":65,"severity_vector":66,"severity_status":59},false,"critical",9.3,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",[68],{"url":69,"sources":70,"tags":72},"https://github.com/efwGrp/efw4.X/security/advisories/GHSA-q7jx-7x5r-r9f6",[65,71],"nvd",[73],"X Refsource CONFIRM",[],[],[77,80],{"source":65,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":78},{"baseScore":63,"baseSeverity":79,"vectorString":66,"impactScore":9,"exploitabilityScore":9},"CRITICAL",{"source":71,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":81},{"baseScore":63,"baseSeverity":79,"vectorString":82,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",[84],{"ecosystem":9,"name":85,"vendor":86,"product":87,"cpe_part":88,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":89},"efw4.X","efwgrp","efw4.x","a",[90],{"version":91,"is_range":92,"range_type":65,"version_start":9,"version_start_type":9,"version_end":93,"version_end_type":94,"fixed_in":9},"\u003C 4.08.010",true,"4.08.010","excluding"]