CVE-2026-44260— efw4.X: readonly Flag Not Enforced Server-Side
Possible ATT&CK Techniques 1AI
T1552.007 · Container APIGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44260
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
efw4.X: readonly Flag Not Enforced Server-Side
Source: NVD (National Vulnerability Database)
Vulnerability Description
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no event handler checks the readonly value before performing write operations. The flag only controls client-side UI elements (disabling buttons) and response metadata (write: 0, locked: 1). An attacker who sends requests directly (bypassing the UI) can perform all file operations despite readonly=true. This vulnerability is fixed in 4.08.010.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
EFW Framework 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
EFW Framework是efw group开源的一个基于Ajax和服务端JavaScript的企业级Web开发框架。 EFW Framework 4.08.010之前版本存在安全漏洞,该漏洞源于readonly标志仅控制客户端UI元素,未在事件处理程序中检查,可能导致绕过只读限制执行文件操作。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44260
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44260
请登录查看更多情报信息。
- https://github.com/efwGrp/efw4.X/security/advisories/GHSA-5454-qhrf-vcvhx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-44260
Same Patch Batch · efwGrp · 2026-05-12 · 4 CVEs total
| CVE-2026-44259 | 4.6 MEDIUM | efw4.X: Stored XSS via previewServlet |
| CVE-2026-44257 | efw4.X: RCE via zipslip | |
| CVE-2026-44258 | efw4.X: Path Traversal via Unchecked dst Parameter leads to Remote Code Execution |
IV. Related Vulnerabilities
Same weakness: CWE-863
- CVE-2026-28732
Slash command trigger-word update allowed command hijacking - CVE-2026-6343
Mattermost Playbooks Plugin fails to enforce view permission - CVE-2026-4286
Playbooks Plugin fails to validate team transfers, allowing - CVE-2026-6341
Incomplete group locking implementation - CVE-2026-6342
Group prefix matching bypass for subscriptions
V. Comments for CVE-2026-44260
No comments yet