CVE-2026-41530
Received Received - Intake
Path Traversal in Lhaz and Lhaz+ Archive Tool

Publication date: 2026-05-12

Last updated on: 2026-05-12

Assigner: JPCERT/CC

Description
The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with the automatic folder creation feature enabled, and a product user tries to extract an archive file which has a crafted file name, then the archived files may be extracted to an unexpected folder.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-12
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-41530
EUVD
EUVD-2026-29379
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
chitora_soft lhaz to 2.6.4 (exc)
chitora_soft lhaz_plus to 3.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41530 is a path traversal vulnerability found in the automatic folder creation feature of Lhaz and Lhaz+ software developed by Chitora soft.

When this feature is enabled and a user extracts an archive file with a specially crafted file name, the extracted files may be placed in an unexpected folder outside the intended extraction directory.

This occurs because the software does not properly handle the archive file names, allowing traversal to parent directories.

Impact Analysis

This vulnerability can cause files extracted from an archive to be placed in unintended locations on the file system.

Such unexpected extraction paths may lead to overwriting or placing files in sensitive directories, potentially causing data integrity issues or security risks.

Although the CVSS scores indicate a moderate severity, the impact depends on the context of use and the sensitivity of the affected system.

Detection Guidance

This vulnerability can be detected by checking the version of the Lhaz or Lhaz+ software installed on your system. The affected versions are Lhaz 2.6.3 and earlier, and Lhaz+ 3.6.3 and earlier.

To verify the version, launch Lhaz or Lhaz+, then select the "Help" menu and choose "About" or "Version Information" to see the installed version number.

There are no specific network detection commands provided for this vulnerability in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the affected software to the fixed versions released by Chitora soft.

  • Update Lhaz to version 2.6.4 or later.
  • Update Lhaz+ to version 3.6.4 or later.

These updates address the path traversal vulnerability in the automatic folder creation feature and prevent extraction of files to unintended folders.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41530. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart