CVE-2026-8328

🗓️ 13 May 2026 21:16:00Reported by ubuntu.comType

ubuntucve

ubuntucve🔗 ubuntu.com👁 5 Views

The ftpcp function still passes attacker controlled address and port to target.sendport after the PASV fix.

Reporter	Title	Published	Views	Family All 29
ATTACKERKB	CVE-2026-8328	13 May 202620:14	–	attackerkb
Chainguard	CVE-2026-8328 vulnerabilities	20 May 202619:18	–	cgr
Circl	CVE-2026-8328	14 May 202600:03	–	circl
CNNVD	CPython 代码问题漏洞	13 May 202600:00	–	cnnvd
CVE	CVE-2026-8328	13 May 202620:14	–	cve
Cvelist	CVE-2026-8328 FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address	13 May 202620:14	–	cvelist
Debian CVE	CVE-2026-8328	13 May 202620:14	–	debiancve
EUVD	EUVD-2026-30177	13 May 202621:32	–	euvd
NVD	CVE-2026-8328	13 May 202621:16	–	nvd
OSV	BELL-CVE-2026-8328	22 May 202606:12	–	osv

OS	OS Version	Architecture	Package	Package Version	Filename
Ubuntu	14.04	any	python2.7	0	python2.7_0_any.deb
Ubuntu	16.04	any	python2.7	0	python2.7_0_any.deb
Ubuntu	18.04	any	python2.7	0	python2.7_0_any.deb
Ubuntu	20.04	any	python2.7	0	python2.7_0_any.deb
Ubuntu	22.04	any	python2.7	0	python2.7_0_any.deb
Ubuntu	14.04	any	python3.4	0	python3.4_0_any.deb
Ubuntu	14.04	any	python3.5	0	python3.5_0_any.deb
Ubuntu	16.04	any	python3.5	0	python3.5_0_any.deb
Ubuntu	18.04	any	python3.6	0	python3.6_0_any.deb
Ubuntu	18.04	any	python3.7	0	python3.7_0_any.deb

Source	Link
cve	www.cve.org/CVERecord
mail	www.mail.python.org/archives/list/[email protected]/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/
github	www.github.com/python/cpython/pull/149648
github	www.github.com/python/cpython/commit/eac4fe3b2c77693790a5ef7dfab127c1fee81bf9
github	www.github.com/python/cpython/issues/87451

21 May 2026 14:22Current

5.8Medium risk

Vulners AI Score5.8

CVSS 45.9

EPSS0.00051

SSVC

ftp protocol ftpcp function attacker controlled address target sendport parse227 call pasv fix peer address