CVE-2026-11470: hsweb-framework Path Traversal in File Upload Component
A path traversal vulnerability exists in the hsweb-framework file upload component that allows authenticated users to manipulate filenames and access files outside the intended upload directory. An attacker with valid credentials can exploit this flaw to read or write arbitrary files on the affected system by crafting malicious filename parameters. Public disclosure means this vulnerability has been shared in security communities, increasing the likelihood of active exploitation attempts.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in hs-web hsweb-framework up to 5.0.1. The affected element is the function denied of the file hsweb-system/hsweb-system-file/src/main/java/org/hswebframework/web/file/FileUploadProperties.java of the component File Upload. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 8009845b577d8a2c4bbf4fdd8e8913799a714be6. It is suggested to install a patch to address this issue.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the FileUploadProperties.java component's denied function within the hsweb-system-file module of hs-web hsweb-framework versions up to 5.0.1. The flaw is a classic path traversal issue (CWE-22) stemming from insufficient validation of the filename argument. An authenticated attacker can bypass directory restrictions by injecting path traversal sequences (such as ../ or absolute paths) into the filename parameter, enabling unauthorized file system access. The attack requires network access and valid authentication credentials but does not require user interaction.
Business impact
Organizations using affected hsweb-framework versions face risks of unauthorized file access, potential data exfiltration, or malicious file placement. Compromised user accounts could be leveraged to modify application files, tamper with data, or establish persistence mechanisms. The confidentiality and integrity impact is limited by the authentication requirement, but the scope of file system exposure warrants prompt remediation to prevent insider threats or lateral movement after credential compromise.
Affected systems
hs-web hsweb-framework versions up to and including 5.0.1 are vulnerable. Any deployment using this framework with file upload functionality is affected. Assess your application inventory to identify instances of this framework version and document which systems have exposed file upload endpoints that can be accessed by authenticated users.
Exploitability
Exploitation requires valid authentication credentials and network access to the file upload endpoint. The attack complexity is low—no special conditions or bypasses are needed once authenticated. Public disclosure and available attack details increase the practical exploitability risk, though the authentication barrier provides some protective friction. Organizations with strong access controls and monitoring of file upload activity may detect exploitation attempts.
Remediation
Install a patched version of hsweb-framework that addresses this vulnerability. The vendor has provided a fix identified by commit hash 8009845b577d8a2c4bbf4fdd8e8913799a714be6. Consult the official hsweb-framework release notes and advisory documentation to confirm the patched version number and upgrade path for your deployment model. Until patching is complete, restrict file upload functionality to trusted users and monitor upload activity for suspicious filename patterns.
Patch guidance
Obtain and deploy the patched version of hsweb-framework corresponding to commit 8009845b577d8a2c4bbf4fdd8e8913799a714be6 from the vendor's official repository. Test the patch in a non-production environment to ensure compatibility with your application configuration and dependent components. Prioritize patching systems where file upload endpoints are exposed to end users or less-trusted authenticated accounts. Verify the patch's integrity and authenticity through the vendor's official channels before deployment.
Detection guidance
Monitor file upload request logs for suspicious filename patterns, including path traversal sequences (../, .., absolute paths, or encoded variants such as %2e%2e). Alert on uploads where the filename argument contains directory separators or path traversal indicators. Enable file system access logging to detect unauthorized reads or writes outside designated upload directories. Review authentication logs for unusual access patterns to file upload endpoints, particularly from accounts that do not typically use these features.
Why prioritize this
Although marked MEDIUM severity due to authentication requirements, this vulnerability warrants prompt attention because public disclosure increases active exploitation likelihood, the attack is straightforward to execute with valid credentials, and the impact includes both confidential data exposure and system integrity compromise. Organizations with permissive internal access or shared accounts should treat this as higher priority.
Risk score, explained
The CVSS 3.1 score of 6.3 reflects a network-accessible vulnerability requiring low attack complexity and valid authentication (PR:L). Confidentiality, Integrity, and Availability impacts are each low (L), indicating the scope of file system exposure is constrained by the authentication requirement. The score accurately represents the threat level for typical deployments but may understate risk in environments with weak credential management or high-privilege authenticated user bases.
Frequently asked questions
Do we need to authenticate to exploit this vulnerability?
Yes. The vulnerability requires valid authentication credentials and network access to the file upload endpoint. However, this does not eliminate risk—compromised user accounts, shared credentials, or overly permissive internal access can enable exploitation. Assess your organization's credential hygiene and access controls.
What happens if an attacker successfully exploits this flaw?
An authenticated attacker can read files outside the intended upload directory (confidentiality impact), write or modify arbitrary files on the system (integrity impact), and potentially disrupt availability depending on which files are targeted. The severity depends on the application's file system permissions and what sensitive data or critical files are accessible.
Is this vulnerability currently being exploited in the wild?
The vulnerability has been publicly disclosed, which increases the likelihood of exploitation attempts. However, no confirmed widespread attacks have been documented at this time. Organizations should assume active discovery and exploitation attempts are occurring and prioritize patching accordingly.
How can we reduce risk before patching?
Restrict file upload functionality to trusted users through role-based access controls. Monitor file upload logs for suspicious filenames containing path traversal patterns. Validate and sanitize filename inputs server-side to reject or strip path traversal sequences. Review file system permissions to limit the blast radius if exploitation occurs. Plan your patch deployment timeline immediately.
This analysis is provided for informational purposes to support vulnerability management decision-making. Verify all patch versions, compatibility, and vendor advisories through official sources before deployment. SEC.co makes no warranty regarding the completeness or accuracy of vendor data, patch applicability, or exploitation likelihood in your environment. Testing patches in non-production environments is mandatory. Consult with your vendor and internal security teams regarding deployment timelines and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25734MEDIUMContact Form by WD CSRF & Local File Inclusion Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2022-50953MEDIUMWordPress admin-word-count-column Plugin Local File Read Vulnerability
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2024-47273MEDIUMSynology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller