VYPR

WinFtp Server

by Wftpserver

CVEs (9)

  • CVE-2026-44403HigMay 12, 2026
    risk 0.50cvss 7.2epss 0.03

    Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe…

  • CVE-2025-47812KEVJul 10, 2025
    risk 0.22cvss epss 0.95

    In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by…

  • CVE-2025-47813KEVJul 10, 2025
    risk 0.14cvss epss 0.56

    loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.

  • CVE-2006-6673Dec 21, 2006
    risk 0.03cvss epss 0.03

    WinFtp Server 2.0.2 allows remote attackers to cause a denial of service (crash) via long (1) PASV, (2) LIST, (3) USER, (4) PORT, and possibly other commands.

  • CVE-2020-37032Jan 30, 2026
    risk 0.00cvss epss 0.01

    Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution…

  • CVE-2025-27889Jul 10, 2025
    risk 0.00cvss epss 0.00

    Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.

  • CVE-2025-47811Jul 10, 2025
    risk 0.00cvss epss 0.04

    In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task…

  • CVE-2005-2634Aug 23, 2005
    risk 0.00cvss epss 0.05

    Buffer overflow in the Log-SCR function in the "Log to Screen" feature in WinFtp Server 1.6.8 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long request.

  • CVE-2004-2400Dec 31, 2004
    risk 0.00cvss epss 0.00

    WinFTP Server 1.6 stores username and password credentials in plaintext in the data\user.wfd file, which allows local users to gain access to the credentials.