Winftp Server
CVEs (4)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44403 | Hig | 0.47 | 7.2 | 0.00 | May 12, 2026 | Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile(). | |
| CVE-2006-6673 | 0.04 | — | 0.07 | Dec 21, 2006 | WinFtp Server 2.0.2 allows remote attackers to cause a denial of service (crash) via long (1) PASV, (2) LIST, (3) USER, (4) PORT, and possibly other commands. | ||
| CVE-2005-2634 | 0.00 | — | 0.06 | Aug 23, 2005 | Buffer overflow in the Log-SCR function in the "Log to Screen" feature in WinFtp Server 1.6.8 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long request. | ||
| CVE-2004-2400 | 0.00 | — | 0.00 | Dec 31, 2004 | WinFTP Server 1.6 stores username and password credentials in plaintext in the data\user.wfd file, which allows local users to gain access to the credentials. |
- risk 0.47cvss 7.2epss 0.00
Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().
- CVE-2006-6673Dec 21, 2006risk 0.04cvss —epss 0.07
WinFtp Server 2.0.2 allows remote attackers to cause a denial of service (crash) via long (1) PASV, (2) LIST, (3) USER, (4) PORT, and possibly other commands.
- CVE-2005-2634Aug 23, 2005risk 0.00cvss —epss 0.06
Buffer overflow in the Log-SCR function in the "Log to Screen" feature in WinFtp Server 1.6.8 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long request.
- CVE-2004-2400Dec 31, 2004risk 0.00cvss —epss 0.00
WinFTP Server 1.6 stores username and password credentials in plaintext in the data\user.wfd file, which allows local users to gain access to the credentials.