CrushFTP - Authentication Bypass

CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access. id: CVE-2025-31161 info: name: CrushFTP - Authenticati...

CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution

CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. id: CVE-2023-43177 info: name: CrushFTP 10.5.1 - Unauthenticated Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | CrushFTP prior...

CrushFTP VFS - Sandbox Escape LFR

VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox. id: CVE-2024-4040 info: name: CrushFTP VFS - Sandbox Escape LFR author: DhiyaneshDK,pussycat0x severity:...

Exploit for Code Injection in Crushftp

CVE-2024-4040 — CrushFTP SSTI / LFI Proof of Concept For...

PT-2026-36613

Date: May 2, 2026 Status: ACTIVE GLOBAL EXPLOITATION / MASSIVE RCE WAVE Target: CrushFTP Enterprise Managed File Transfer All versions prior to 11.1.0 Severity: 10.0 MAXIMUM CRITICAL Unauthenticated Remote Code Execution / VFS Escape 1. Analysis: Why "VFS-Shatter" is Today’s Apex Threat While the...

Exploit for Authentication Bypass by Primary Weakness in Crushftp

CVE-2025-3116...

Exploit for Authentication Bypass by Primary Weakness in Crushftp

No d...

Exploit for Unprotected Alternate Channel in Crushftp

C...

Exploit for Authentication Bypass by Primary Weakness in Crushftp

CVE-2025-31161 is a critical severity vulnerability allowing att...

CVE-2023-43177

CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes...

CVE-2018-18288

CrushFTP through 8.3.0 is vulnerable to credentials theft via URL redirection...

Exploit for Unprotected Alternate Channel in Crushftp

CrushFTP AS2 Authentication Bypass Research !CVSS Scoreht...

Exploit for CVE-2025-63420

CVE-2025-63420 CrushFTP11 before 11.3.757 is vulnerable to s...

CVE-2025-63419

Cross Site Scripting XSS vulnerability in CrushFTP 11.3.648. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection...

EUVD-2025-131917

Cross Site Scripting XSS vulnerability in CrushFTP 11.3.648. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection...

CVE-2025-63419

Cross Site Scripting XSS vulnerability in CrushFTP 11.3.648. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection...

CVE-2025-63419

Cross Site Scripting XSS vulnerability in CrushFTP 11.3.648. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection...

CVE-2025-63419

Cross Site Scripting XSS vulnerability in CrushFTP 11.3.648. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection...

PT-2025-46678

Name of the Vulnerable Software and Affected Versions CrushFTP version 11.3.6 48 Description A Cross Site Scripting XSS issue exists in CrushFTP. The web-based server’s file sharing feature reflects the filename to an email body field without proper sanitization, leading to potential HTML...

CrushFTP 安全漏洞

CrushFTP is a file transfer server from CrushFTP, Inc. A security vulnerability exists in CrushFTP version 11.3.648, which stems from the web server file sharing feature not cleaning up filenames, and could lead to cross-site scripting attacks...