Security update for openvswitch

This update for openvswitch fixes the following issues: CVE-2026-34956: invalid memory access via crafted FTP payloads in userspace conntrack flows specifying the FTP alg handler bsc1261273. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST...

SUSE-SU-2026:1306-1 Security update for openvswitch

This update for openvswitch fixes the following issues: - CVE-2026-34956: invalid memory access via crafted FTP payloads in userspace conntrack flows specifying the FTP alg handler bsc1261273...

OESA-2026-1872 openvswitch security update

Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Security Fixes: "Description\n===========\n\nMultiple versions of Open vSwitch are vulnerable to crafted FTP payloads\ncausing invalid memory accesses, potential...

OESA-2026-1871 openvswitch security update

Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Security Fixes: "Description\n===========\n\nMultiple versions of Open vSwitch are vulnerable to crafted FTP payloads\ncausing invalid memory accesses, potential...

CVE-2026-40188 goshs is Missing Write Protection for Parametric Data Values

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4...

CVE-2026-40188

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4...

CVE-2026-23781

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface...

EUVD-2026-21370

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable...

CVE-2026-23781

CVE-2026-23781 affects BMC Control-M/MFT 9.0.20–9.0.22. A set of default debug user credentials is hardcoded in cleartext in the application package, and, if unchanged, could be obtained to gain unauthorized access to the MFT API debug interface. The CVSS v3.1 base score is 9.8 (CRITICAL) with ne...

CVE-2026-23781

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface...

PT-2026-31921

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable...

BMC Control-M/MFT 安全漏洞

BMC Control-M/MFT is an enterprise-level file transfer and job scheduling integration management automation software developed by the American company BMC. Versions of BMC Control-M/MFT 9.0.22 and earlier contained security vulnerabilities. These vulnerabilities stemmed from hardcoded default deb...

DEBIAN-CVE-2026-39983

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences \r\n in file path parameters passed to high-level path APIs such as cd, remove, rename, uploadFrom, downloadTo, list, and removeDir. The library's protectWhitespace helper only handle...

CVE-2026-39983

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences \r\n in file path parameters passed to high-level path APIs such as cd, remove, rename, uploadFrom, downloadTo, list, and removeDir. The library's protectWhitespace helper only handle...

CVE-2026-39983 FTP Command Injection via CRLF in basic-ftp

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences \r\n in file path parameters passed to high-level path APIs such as cd, remove, rename, uploadFrom, downloadTo, list, and removeDir. The library's protectWhitespace helper only handle...

@activeboxes/piece-sftp (=0.2.6), @activepieces/piece-apify (=0.2.1) +25 more potentially affected by CVE-2026-39983 via basic-ftp (>=5.0.2 <=5.1.0)

basic-ftp NPM version =5.0.2, =0.2.6, =1.0.0, =1.0.0, =2.0.18, =1.9.2, =1.2.0, =4.6.0-blowfish, =1.0.3, =1.0.4, =0.1.1, =0.2.0 and more Source cves: CVE-2026-39983 Source advisory: SNYK:JS-BASICFTP-15953339...

EUVD-2019-20097

Xlight FTP Server 3.9.1 contains a structured exception handler SEH overwrite vulnerability that allows local attackers to crash the application and overwrite SEH pointers by supplying a crafted buffer string. Attackers can inject a 428-byte payload through the program execution field in virtual...

CVE-2019-25681 Xlight FTP Server 3.9.1 SEH Overwrite Buffer Overflow

Xlight FTP Server 3.9.1 contains a structured exception handler SEH overwrite vulnerability that allows local attackers to crash the application and overwrite SEH pointers by supplying a crafted buffer string. Attackers can inject a 428-byte payload through the program execution field in virtual...

Libssh: libssh: denial of service due to malformed sftp message

...

curl: FTP entrypath accepts 0xFF (Telnet IAC) through incomplete ISCNTRL filter, sent on wire via CWD on connection reuse

Summary A malicious FTP server can embed byte 0xFF Telnet IAC in the PWD response path. The ISCNTRL filter at lib/ftp.c:3095 expands to ISLOWCNTRLx || IS7Fx, which is unsigned charx entrypath line 3131 and sent verbatim via CWD %s on connection reuse line 849. I understand the KNOWNRISK.md and...