HIGH🇵🇱 Wersja polska

CVE-2026-44403

CVSS 8.6v4.0pub. 2026-05-12upd. 2026-05-14

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Wftpserver Wing Ftp Server

    APP
    Wftpserver
    < 8.1.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-47812CRITICAL10.0⚠ KEVPL ✓ten sam produkt

RCE w Wing FTP Server — wstrzyknięcie kodu Lua przez bajt NULL

CVE-2019-25267HIGH8.5ten sam produkt

Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potential...

CVE-2020-37032HIGH8.6ten sam produkt

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows ...

CVE-2025-5196HIGH7.5ten sam produkt

A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vul...

CVE-2020-8635HIGH7.8ten sam produkt

Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on installation directories and...