Monsta FTP <= 2.11.2 - Unauthenticated Remote Code Execution

Monsta FTP = 2.11 contains an unrestricted file upload vulnerability caused by lack of authentication on file uploads, letting unauthenticated attackers execute arbitrary code by uploading crafted files. id: CVE-2025-34299 info: name: Monsta FTP = 2.11.2 - Unauthenticated Remote Code Execution...

SUSE CVE-2026-48858

Server-Side Request Forgery SSRF vulnerability in Erlang/OTP ftp ftpinternal module allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The ftpinternal:handlectrlresult/2 PASV handler mode=passive, ipfamily=inet, ftpextension=false extracts the IP address from the...

Linux Distros Unpatched Vulnerability : CVE-2026-44240

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline...

Linux Distros Unpatched Vulnerability : CVE-2026-41324

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory...

CVE-2026-41324

CVE-2026-41324 affects the Node.js FTP client library basic-ftp . Versions prior to 5.3.0 are vulnerable to a denial-of-service caused by unbounded memory growth when processing directory listings from a remote FTP server. A malicious server can send an extremely large or never-ending listing to ...

@activeboxes/piece-sftp (=0.2.6), @activepieces/piece-apify (=0.2.1) +26 more potentially affected by CVE-2026-41324 via basic-ftp (>=5.0.2 <=5.2.2)

basic-ftp NPM version =5.0.2, =0.2.6, =1.0.0, =1.0.0, =2.0.18, =1.9.2, =1.2.0, =4.6.0-blowfish, =1.0.3, =1.0.4, =1.0.5 - @neurarank/node-sftp =0.4.3 and more Source cves: CVE-2026-41324 Source advisory: SNYK:JS-BASICFTP-16094986...

Allocation of Resources Without Limits or Throttling

Overview basic-ftp is a FTP client for Node.js, supports FTPS over TLS, IPv6, Async/Await, and Typescript. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the StringWriter method. An attacker can cause excessive memory consumption and...

CVE-2026-39983

A flaw was found in basic-ftp, an FTP client for Node.js. A remote attacker can exploit this vulnerability by injecting Carriage Return Line Feed CRLF sequences into file path parameters used by high-level APIs. This allows the attacker to split a single intended FTP command into multiple command...

@activeboxes/piece-sftp (=0.2.6), @activepieces/piece-apify (=0.2.1) +25 more potentially affected by CVE-2026-39983 via basic-ftp (>=5.0.2 <=5.1.0)

basic-ftp NPM version =5.0.2, =0.2.6, =1.0.0, =1.0.0, =2.0.18, =1.9.2, =1.2.0, =4.6.0-blowfish, =1.0.3, =1.0.4, =0.1.1, =0.2.0 and more Source cves: CVE-2026-39983 Source advisory: SNYK:JS-BASICFTP-15989098...

CVE-2019-25686

Core FTP 2.0 build 653 is affected by an unauthenticated denial-of-service in the PBSZ command. A malformed PBSZ payload exceeding 211 bytes can trigger an access violation and crash the FTP server process. No remediation or fix version is provided in the supplied documents.

Amazon Linux 2023 : gvfs, gvfs-archive, gvfs-client (ALAS2023-2026-1475)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1475 advisory. A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode PASV response. The client...

@activeboxes/piece-sftp (=0.2.6), @activepieces/piece-apify (=0.2.1) +183 more potentially affected by CVE-2026-27699 via basic-ftp (>=2.16.0 <=5.1.0)

basic-ftp NPM version =2.16.0, =0.2.6, =0.2.0, =0.7.0, =0.3.0, =3.0.0, =1.0.0, =1.1.0, =2.0.0, =1.0.0, =1.1.0, =1.0.0, =1.5.1 - @digitranslab/piece-sftp =0.2.6 and more Source cves: CVE-2026-27699 Source advisory: OSV:GHSA-5RQ4-664W-9X2C...

MiracleLinux 3 : httpd-2.2.3-31.2.1AXS3 (AXSA:2009-424:03)

The remote MiracleLinux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2009-424:03 advisory. The Apache HTTP Server is a powerful, efficient, and extensible web server. Security bugs fixed with this release: CVE-2009-3094 The approxyftphandle...

CVE-2009-4103

Buffer overflow in Robo-FTP 3.6.17, and possibly other versions, allows remote FTP servers to cause a denial of service and possibly execute arbitrary code via unspecified FTP server responses. NOTE: the provenance of this information is unknown; the details are obtained solely from third party...

CVE-2021-22793

A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exist in AccuSine PCS+ / PFV+ Versions prior to V1.6.7 and AccuSine PCSn Versions prior to V2.2.4 that could allow an authenticated attacker to access the device via FTP protocol...

CVE-1999-0302

SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server...

CVE-1999-0079

Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports...

CVE-2025-10639

The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304. An attacker with network access to this port can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code...

EUVD-2018-0911

Malware in sbrugna...

EUVD-2002-2041

Malware in sbrugna...