CVE-2026-41530
Path Traversal in Lhaz and Lhaz+ Archive Tool
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chitora_soft | lhaz | to 2.6.4 (exc) |
| chitora_soft | lhaz_plus | to 3.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41530 is a path traversal vulnerability found in the automatic folder creation feature of Lhaz and Lhaz+ software developed by Chitora soft.
When this feature is enabled and a user extracts an archive file with a specially crafted file name, the extracted files may be placed in an unexpected folder outside the intended extraction directory.
This occurs because the software does not properly handle the archive file names, allowing traversal to parent directories.
How can this vulnerability impact me? :
This vulnerability can cause files extracted from an archive to be placed in unintended locations on the file system.
Such unexpected extraction paths may lead to overwriting or placing files in sensitive directories, potentially causing data integrity issues or security risks.
Although the CVSS scores indicate a moderate severity, the impact depends on the context of use and the sensitivity of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of the Lhaz or Lhaz+ software installed on your system. The affected versions are Lhaz 2.6.3 and earlier, and Lhaz+ 3.6.3 and earlier.
To verify the version, launch Lhaz or Lhaz+, then select the "Help" menu and choose "About" or "Version Information" to see the installed version number.
There are no specific network detection commands provided for this vulnerability in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the affected software to the fixed versions released by Chitora soft.
- Update Lhaz to version 2.6.4 or later.
- Update Lhaz+ to version 3.6.4 or later.
These updates address the path traversal vulnerability in the automatic folder creation feature and prevent extraction of files to unintended folders.