CVE-2026-8328

The ftpcp function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv was patched to replace server-supplied PASV host addresses with the actual peer address getpeername0, ftpcp still calls parse227 directly and passes the raw attacker-controllable IP address and port t...

CVE-2026-6265

Insecure preserved inherited permissions vulnerability in Cerberus FTP Server on Windows allows Privilege Escalation.This issue has been resolved in Cerberus FTP Server: 2026.1...

CVE-2026-44403

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session...

CVE-2026-44240

basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before...

OESA-2026-2571 gvfs security update

Gvfs is a userspace virtual filesystem implementation for GIO a library available in GLib. It comes with a set of backends, including trash support, SFTP, SMB, HTTP, DAV, and many others. Gvfs also contains modules for GIO that implement volume monitors and persistent metadata storage. Security...

OESA-2026-2569 gvfs security update

Gvfs is a userspace virtual filesystem implementation for GIO a library available in GLib. It comes with a set of backends, including trash support, SFTP, SMB, HTTP, DAV, and many others. Gvfs also contains modules for GIO that implement volume monitors and persistent metadata storage. Security...

ROOT-APP-NPM-GHSA-6V7Q-WJVX-W8WG GHSA-6v7q-wjvx-w8wg in @rootio/basic-ftp - Patched by Root

Root has patched GHSA-6v7q-wjvx-w8wg in the @rootio/basic-ftp package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-27699 CVE-2026-27699 in @rootio/basic-ftp - Patched by Root

Root has patched CVE-2026-27699 in the @rootio/basic-ftp package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-GHSA-RP42-5VXX-QPWR GHSA-rp42-5vxx-qpwr in @rootio/basic-ftp - Patched by Root

Root has patched GHSA-rp42-5vxx-qpwr in the @rootio/basic-ftp package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-44240 CVE-2026-44240 in @rootio/basic-ftp - Patched by Root

Root has patched CVE-2026-44240 in the @rootio/basic-ftp package for Root:npm. Multiple fixed versions available...

Exploit for OS Command Injection in Vsftpd_Project Vsftpd

vsftpd 2.3.4 Backdoor Exploit A small, dependency-free Python...

Monsta FTP <= 2.11.2 - Unauthenticated Remote Code Execution

Monsta FTP = 2.11 contains an unrestricted file upload vulnerability caused by lack of authentication on file uploads, letting unauthenticated attackers execute arbitrary code by uploading crafted files. id: CVE-2025-34299 info: name: Monsta FTP = 2.11.2 - Unauthenticated Remote Code Execution...

Rumpus FTP Web File Manager 8.2.9.1 - Cross-Site Scripting

Rumpus FTP Web File Manager 8.2.9.1 contains a reflected cross-site scripting vulnerability via the Login page. An attacker can send a crafted link to end users and can execute arbitrary JavaScript. id: CVE-2019-19368 info: name: Rumpus FTP Web File Manager 8.2.9.1 - Cross-Site Scripting author:...

ROOT-APP-NPM-CVE-2026-41324 CVE-2026-41324 in @rootio/basic-ftp - Patched by Root

Root has patched CVE-2026-41324 in the @rootio/basic-ftp package for Root:npm. Multiple fixed versions available...

CVE-2026-41235 Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement

Froxlor is open source server administration software. Version 2.3.6 lets administrators configure system.availableshells as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit...

Wing FTP 6.4.4 - Cross-Site Scripting

Wing FTP 6.4.4 is vulnerable to cross-site scripting via its web interface because an arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of sandboxed arbitrary HTML and JavaScript in the user's browser. id: CVE-2020-27735 info: name: Wing FTP...

Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie

Wing FTP Server versions prior to 7.4.4 are vulnerable to an authenticated information disclosure vulnerability CVE-2025-47813. The vulnerability occurs due to improper validation of the 'UID' session cookie in the /loginok.html endpoint. Supplying an overlong UID value causes the server to respo...

Apache Solr <= 7.1 - XML Entity Injection

Apache Solr with Apache Lucene before 7.1 is susceptible to remote code execution by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external...

Exploit for Improper Access Control in Proftpd

OpenVAS-Vulnerability-Analysis-Incident-Response-Report Real-W...

ROOT-APP-NPM-CVE-2026-39983 CVE-2026-39983 in @rootio/basic-ftp - Patched by Root

Root has patched CVE-2026-39983 in the @rootio/basic-ftp package for Root:npm. Multiple fixed versions available...