CVE-2026-41530
Received Received - Intake

Path Traversal in Lhaz and Lhaz+ Archive Tool

Vulnerability report for CVE-2026-41530, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-12

Last updated on: 2026-05-12

Assigner: JPCERT/CC

Description

The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with the automatic folder creation feature enabled, and a product user tries to extract an archive file which has a crafted file name, then the archived files may be extracted to an unexpected folder.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-12
Last Modified
2026-05-12
Generated
2026-07-11
AI Q&A
2026-05-12
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
chitora_soft lhaz to 2.6.4 (exc)
chitora_soft lhaz_plus to 3.6.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-41530 is a path traversal vulnerability found in the automatic folder creation feature of Lhaz and Lhaz+ software developed by Chitora soft.

When this feature is enabled and a user extracts an archive file with a specially crafted file name, the extracted files may be placed in an unexpected folder outside the intended extraction directory.

This occurs because the software does not properly handle the archive file names, allowing traversal to parent directories.

Impact Analysis

This vulnerability can cause files extracted from an archive to be placed in unintended locations on the file system.

Such unexpected extraction paths may lead to overwriting or placing files in sensitive directories, potentially causing data integrity issues or security risks.

Although the CVSS scores indicate a moderate severity, the impact depends on the context of use and the sensitivity of the affected system.

Detection Guidance

This vulnerability can be detected by checking the version of the Lhaz or Lhaz+ software installed on your system. The affected versions are Lhaz 2.6.3 and earlier, and Lhaz+ 3.6.3 and earlier.

To verify the version, launch Lhaz or Lhaz+, then select the "Help" menu and choose "About" or "Version Information" to see the installed version number.

There are no specific network detection commands provided for this vulnerability in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the affected software to the fixed versions released by Chitora soft.

  • Update Lhaz to version 2.6.4 or later.
  • Update Lhaz+ to version 3.6.4 or later.

These updates address the path traversal vulnerability in the automatic folder creation feature and prevent extraction of files to unintended folders.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41530. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart