← voltar
CVE-2026-44259

efw4.X: Stored XSS via previewServlet

CVSS 4.6 MEDIUMEPSS 0.1%CWE-80
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 4.6EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
12 mai 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg extensions are served as text/html or image/svg+xml respectively, causing any embedded JavaScript to execute in the victim's browser within the application's origin. This vulnerability is fixed in 4.08.010.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Produtos afetados
efwGrp · efw4.X

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/efwGrp/efw4.X/security/advisories/GHSA-hw67-p3gw-rrmj