Lucene search
+L

7 matches found

CVE
CVE
•added 2025/07/10 12:0 a.m.•386 views

CVE-2025-47812

CVE-2025-47812 is a remote code execution vulnerability in Wing FTP Server, affecting versions before 7.4.4. The root cause is improper handling of null bytes ('\0') in user/admin web interfaces, allowing injection of arbitrary Lua code into user session files. The injected code can execute comma...

10CVSS8.7AI score0.95343EPSS
In wild
CVE
CVE
•added 2025/05/26 1:31 p.m.•71 views

CVE-2025-5196

CVE-2025-5196 affects Wing FTP Server up to 7.4.3, via the Lua Admin Console, granting execution with unnecessary privileges. Exploitation appears remote and authenticated (PoC exists). Upgrade to version 7.4.4 to address the issue; vendor notes recommend running the service as a Normal User for ...

7.5CVSS6.6AI score0.00846EPSS
CVE
CVE
•added 2025/07/10 12:0 a.m.•64 views

CVE-2025-47813

Technical details for CVE-2025-47813 are not publicly available in the provided connected documents. Monitor for updates. Initial description notes an information disclosure related to UID cookie length, but no technical specifics are provided here.

4.3CVSS6.4AI score0.56366EPSS
In wild
CVE
CVE
•added 2025/07/10 12:0 a.m.•56 views

CVE-2025-47811

Wing FTP Server (versions up to 7.4.4) is affected by CVE-2025-47811: the admin web interface runs as root/SYSTEM by default, and the web app exposes legitimate ways to execute system commands which are executed with the highest privileges. This creates a potential privilege escalation via the we...

6.6CVSS9.7AI score0.03513EPSS
CVE
CVE
•added 2025/07/10 12:0 a.m.•43 views

CVE-2025-27889

Technical details for CVE-2025-27889 are not provided in the connected documents; the supplied materials focus on CVE-2025-47812 and lack specifics (product/version/impact) for CVE-2025-27889. Monitor for updates.

8.8CVSS7AI score0.0041EPSS
CVE
CVE
•added 2026/05/12 8:43 p.m.•36 views

CVE-2026-44403

Wing FTP Server 8.1.2 is affected: an authenticated remote code execution due to unsafe session serialization that injects Lua via the domain admin mydirectory field, leading to code execution when a poisoned session is loaded with loadfile(). Root cause: unsafe serialization of session values in...

8.6CVSS6.5AI score0.02643EPSS
Web
CVE
CVE
•added 2026/02/06 11:16 p.m.•22 views

CVE-2020-37079

Wing FTP Server prior to version 6.2.7 is affected by a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows an attacker to delete admin users by crafting a malicious HTML page with a hidden form that submits a request without proper authorization. The i...

5.1CVSS5.2AI score0.0017EPSS