Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
FTP Client Can Connect to Arbitrary IP and Port on Malicious Server
CVE-2026-28295
Summary
This issue affects the FTP client's ability to connect to a malicious FTP server. The server can trick the client into connecting to a specific IP address and port, potentially allowing the server to scan open ports on the client's network. You should update your FTP client to fix this issue.
Original title
A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client uncondi...
Original description
A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network.
nvd CVSS3.1
4.3
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026