Main Vulnerability Database Vulnerabilities #VU125737

#VU125737 CRLF injection in basic-ftp - CVE-2026-39983

Published: April 9, 2026

Vulnerability identifier: #VU125737

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-39983

CWE-ID: CWE-93

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
basic-ftp

Software vendor:
patrickjuchli

Description

The vulnerability allows a remote attacker to inject arbitrary FTP commands.

The vulnerability exists due to improper neutralization of CRLF sequences in high-level path APIs in dist/Client.js and FtpContext.send() when processing attacker-controlled file path parameters. A remote attacker can supply a specially crafted path containing CRLF sequences to inject arbitrary FTP commands.

The issue affects methods such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir().

Remediation

Install security update from vendor's website.

#VU125737 CRLF injection in basic-ftp - CVE-2026-39983

Description

Remediation

External links

Please verify you're human