CVE-2026-11470 | hs-web hsweb-framework up to 5.0.1 File Upload FileUploadProperties.java denied filename path traversal (Issue 344)

A vulnerability was found in hs-web hsweb-framework up to 5.0.1. It has been rated as critical. The affected element is the function denied of the file hsweb-system/hsweb-system-file/src/main/java/org/hswebframework/web/file/FileUploadProperties.java of the component File Upload. The manipulation of the argument filename leads to path traversal.

This vulnerability is traded as CVE-2026-11470. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

It is suggested to install a patch to address this issue.VulDB Recent EntriesRead More