Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CVE-2026-27699)

Summary There are vulnerabilities in basic-ftp-5.0.3.tgz, basic-ftp-5.0.5.tgz used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-27699. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-27699 DESCRIPTION: The basic-ftp FTP client library for Node.js...

Security Bulletin: IBM App Connect Enterprise Certified Container flows that use the Box or Databricks connectors are vulnerable to loss of confidentiality (CVE-2026-27699)

Summary Node.js module basic-ftp is used by IBM App Connect Enterprise Certified Container in the connectors for Box and Databricks. IBM App Connect Enterprise Certified Container IntergationRuntime and IntegrationServer operands that run flows containing Box or Databricks connectors are vulnerab...

📄 basic-ftp Path Traversal / Arbitrary File Write

basic-ftp versions prior to 5.2.0 proof of concept that demonstrates an arbitrary file write using a path traversal. ============================================================================================================================================= | Title : basic-ftp prior to version...

CVE-2026-27699 vulnerabilities

Vulnerabilities for packages: langfuse, opensearch-dashboards, code-server...

@activeboxes/piece-sftp (=0.2.6), @activepieces/piece-apify (=0.2.1) +25 more potentially affected by CVE-2026-27699 via basic-ftp (>=5.0.2 <=5.1.0)

basic-ftp NPM version =5.0.2, =0.2.6, =1.0.0, =1.0.0, =2.0.18, =1.9.2, =1.2.0, =4.6.0-blowfish, =1.0.3, =1.0.4, =0.1.1, =0.2.0 and more Source cves: CVE-2026-27699 Source advisory: SNYK:JS-BASICFTP-15366428...

@activeboxes/piece-sftp (=0.2.6), @activepieces/piece-apify (=0.2.1) +183 more potentially affected by CVE-2026-27699 via basic-ftp (>=2.16.0 <=5.1.0)

basic-ftp NPM version =2.16.0, =0.2.6, =0.2.0, =0.7.0, =0.3.0, =3.0.0, =1.0.0, =1.1.0, =2.0.0, =1.0.0, =1.1.0, =1.0.0, =1.5.1 - @digitranslab/piece-sftp =0.2.6 and more Source cves: CVE-2026-27699 Source advisory: OSV:GHSA-5RQ4-664W-9X2C...

CVE-2026-27699

The basic-ftp FTP client library for Node.js contains a path traversal vulnerability CWE-22 in versions prior to 5.2.0 in the downloadToDir method. A malicious FTP server can send directory listings with filenames containing path traversal sequences ../ that cause files to be written outside the...

CVE-2026-27699 Basic FTP has Path Traversal Vulnerability in its downloadToDir() method

The basic-ftp FTP client library for Node.js contains a path traversal vulnerability CWE-22 in versions prior to 5.2.0 in the downloadToDir method. A malicious FTP server can send directory listings with filenames containing path traversal sequences ../ that cause files to be written outside the...

CVE-2026-27699 Basic FTP has Path Traversal Vulnerability in its downloadToDir() method

The basic-ftp FTP client library for Node.js contains a path traversal vulnerability CWE-22 in versions prior to 5.2.0 in the downloadToDir method. A malicious FTP server can send directory listings with filenames containing path traversal sequences ../ that cause files to be written outside the...