CVE-2026-11470 MEDIUM

CVE-2026-11470: hs-web hsweb-framework File Upload FileUploadProperties.java denied path traversal

Vendor Hs-Web

Product hsweb-framework

Weakness CWE-22 · Path traversal

Published June 8, 2026

Last update June 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A vulnerability has been found in hs-web hsweb-framework up to 5.0.1. The affected element is the function denied of the file hsweb-system/hsweb-system-file/src/main/java/org/hswebframework/web/file/FileUploadProperties.java of the component File Upload. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 8009845b577d8a2c4bbf4fdd8e8913799a714be6. It is suggested to install a patch to address this issue.

Key dates

Disclosure timeline

June 8, 2026 CVE published

June 8, 2026 Record updated

Identifiers

CVE CVE-2026-11470

CWE CWE-22

CVSS 5.3 / MEDIUM

Affected versions

Vendor Hs-Web

Product hsweb-framework

Affected 5.0.0

Vendor Hs-Web

Product hsweb-framework

Affected 5.0.1