Chitora Soft Addresses Path Traversal Vulnerability in Lhaz Archive Software
AI-generated from multiple sources. Verify before acting on this reporting.
TOKYO (AP) — Chitora Soft has acknowledged a security vulnerability in its Lhaz and Lhaz+ archive software that allows malicious actors to extract files to unauthorized directories on a user's system. The flaw, identified as CVE-2026-41530, stems from improper handling of archive file names when the software's automatic folder creation feature is enabled.
The vulnerability was disclosed on May 11, 2026, following an analysis by security researchers RyotaK of GMO Flatt Security Inc. and Rei Yano. The issue permits attackers to bypass standard file extraction protocols, potentially placing executable code in sensitive system locations. This path traversal vulnerability could be exploited to execute arbitrary code or overwrite critical system files if a user opens a maliciously crafted archive.
Chitora Soft, a Japanese software vendor, confirmed the defect after the researchers reported the findings to the Japan Computer Emergency Response Team (JPCERT/CC). The flaw affects the way the software processes file paths within compressed archives. When the automatic folder creation function is active, the application fails to sanitize input strings properly, allowing directory traversal sequences to be interpreted as valid paths.
Security experts warn that the risk is elevated for users who frequently download and extract archives from untrusted sources. The vulnerability does not require user interaction beyond opening the archive file, making it a significant threat to systems where Lhaz is installed with default settings. The automatic folder creation feature, designed to streamline file management, inadvertently creates the opening for exploitation.
GMO Flatt Security Inc. and the researchers have advised users to disable the automatic folder creation feature immediately as a temporary mitigation measure until a patch is released. The company has not yet specified a timeline for a software update, though industry observers expect a fix to be distributed in the coming weeks. Users are also urged to avoid opening archives from unknown senders.
The discovery highlights ongoing challenges in archive software security, where path traversal flaws remain a persistent concern. While Chitora Soft has not commented on the potential impact or the number of affected installations, the vulnerability has been assigned a severity rating by the Common Vulnerabilities and Exposures system.
Further details regarding the scope of the vulnerability and the specific versions of Lhaz and Lhaz+ affected remain under review. Security firms are monitoring the situation for any signs of active exploitation in the wild. As of now, no confirmed incidents of the vulnerability being used in cyberattacks have been reported, but the potential for misuse remains a concern for cybersecurity professionals in Japan and abroad.