Skip to main content

Lhaz and Lhaz+ EUVDEUVD-2026-29379

| CVE-2026-41530 MEDIUM
Path Traversal (CWE-22)
2026-05-12 jpcert GHSA-g8fh-6crc-6rfw
4.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Severity Changed
May 12, 2026 - 06:22 NVD
LOW MEDIUM
CVSS changed
May 12, 2026 - 06:22 NVD
3.3 (LOW) 4.6 (MEDIUM)
Analysis Generated
May 12, 2026 - 05:45 vuln.today
CVE Published
May 12, 2026 - 05:21 nvd
LOW 3.3

DescriptionCVE.org

The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with the automatic folder creation feature enabled, and a product user tries to extract an archive file which has a crafted file name, then the archived files may be extracted to an unexpected folder.

AnalysisAI

Path traversal vulnerability in Lhaz and Lhaz+ archive extraction allows local users to write files to unintended directories when the automatic folder creation feature is enabled and a crafted archive is extracted. The vulnerability requires user interaction (extracting a malicious archive) and affects only the integrity of file placement, not confidentiality or availability. CVSS score is 3.3 (low); no public exploit code or active exploitation has been identified.

Technical ContextAI

The vulnerability resides in the automatic folder creation feature of Lhaz and Lhaz+ (archive extraction utilities by Chitora soft). The root cause is improper validation of file paths during archive extraction, classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). When processing archive entries with specially crafted filenames containing path traversal sequences (such as '../' or similar notation), the application fails to neutralize or validate these sequences before creating directories and extracting files, allowing an attacker to write files outside the intended extraction directory.

RemediationAI

Users should apply the patched version provided by Chitora soft; exact fix versions are not specified in the available data, so check the vendor advisory at https://www.chitora.com/jvn68350834.html for the latest release. As an immediate workaround, disable the automatic folder creation feature in Lhaz or Lhaz+ settings and manually create target directories before extraction; this eliminates the vulnerability condition at the cost of a reduced user experience. Alternatively, only extract archives from trusted sources and extract to dedicated, isolated directories rather than user home directories, limiting collateral damage from file placement to unexpected locations.

Share

EUVD-2026-29379 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy