Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Specially crafted FTP file paths can crash or execute code on Linux systems
CVE-2026-28296
Summary
An attacker can crash or execute malicious code on your Linux system by sending a crafted FTP file path. This can happen if your system uses the FTP GVfs backend. To protect your system, update to the latest version of the affected software.
Original title
A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRL...
Original description
A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.
nvd CVSS3.1
4.3
Vulnerability type
CWE-93
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026