HIGH🇵🇱 Wersja polska

CVE-2020-37032

CVSS 8.6v4.0pub. 2026-01-30upd. 2026-02-18

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Wftpserver Wing Ftp Server

    APP
    Wftpserver
    6.3.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2025-47812CRITICAL10.0⚠ KEVPL ✓ten sam produkt

RCE w Wing FTP Server — wstrzyknięcie kodu Lua przez bajt NULL

CVE-2026-44403HIGH8.6ten sam produkt

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session seri...

CVE-2019-25267HIGH8.5ten sam produkt

Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potential...

CVE-2025-5196HIGH7.5ten sam produkt

A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vul...

CVE-2020-8634HIGH7.8ten sam produkt

Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on files modified within the HT...