Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with the automatic folder creation feature enabled, and a product user tries to extract an archive file which has a crafted file name, then the archived files may be extracted to an unexpected folder.
AnalysisAI
Path traversal vulnerability in Lhaz and Lhaz+ archive extraction allows local users to write files to unintended directories when the automatic folder creation feature is enabled and a crafted archive is extracted. The vulnerability requires user interaction (extracting a malicious archive) and affects only the integrity of file placement, not confidentiality or availability. CVSS score is 3.3 (low); no public exploit code or active exploitation has been identified.
Technical ContextAI
The vulnerability resides in the automatic folder creation feature of Lhaz and Lhaz+ (archive extraction utilities by Chitora soft). The root cause is improper validation of file paths during archive extraction, classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). When processing archive entries with specially crafted filenames containing path traversal sequences (such as '../' or similar notation), the application fails to neutralize or validate these sequences before creating directories and extracting files, allowing an attacker to write files outside the intended extraction directory.
RemediationAI
Users should apply the patched version provided by Chitora soft; exact fix versions are not specified in the available data, so check the vendor advisory at https://www.chitora.com/jvn68350834.html for the latest release. As an immediate workaround, disable the automatic folder creation feature in Lhaz or Lhaz+ settings and manually create target directories before extraction; this eliminates the vulnerability condition at the cost of a reduced user experience. Alternatively, only extract archives from trusted sources and extract to dedicated, isolated directories rather than user home directories, limiting collateral damage from file placement to unexpected locations.
Untrusted search path vulnerability in Self-extracting archive files created by Lhaz+ version 3.4.0 and earlier allows a
Untrusted search path vulnerability in Installer of Lhaz+ version 3.4.0 and earlier allows an attacker to gain privilege
Untrusted search path vulnerability in Self-extracting archive files created by Lhaz version 2.4.0 and earlier allows an
Untrusted search path vulnerability in Installer of Lhaz version 2.4.0 and earlier allows an attacker to gain privileges
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29379
GHSA-g8fh-6crc-6rfw