CVE-2026-41530 | THREATINT

Description

The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with the automatic folder creation feature enabled, and a product user tries to extract an archive file which has a crafted file name, then the archived files may be extracted to an unexpected folder.

PUBLISHED Reserved 2026-04-21 | Published 2026-05-12 | Updated 2026-05-12 | Assigner jpcert

LOW: 3.3CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

MEDIUM: 4.6CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

Improper limitation of a pathname to a restricted directory ('Path Traversal')

Product status

2.6.3 and earlier

affected

3.6.3 and earlier

affected

References

www.chitora.com/jvn68350834.html

jvn.jp/en/jp/JVN68350834/

cve.org (CVE-2026-41530)

nvd.nist.gov (CVE-2026-41530)

Download JSON