WinFtp Server
by Wftpserver
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44403 | Hig | 0.50 | 7.2 | 0.03 | May 12, 2026 | Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe… | ||
| CVE-2025-47812 | 0.22 | — | 0.95 | KEV | Jul 10, 2025 | In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by… | ||
| CVE-2025-47813 | 0.14 | — | 0.56 | KEV | Jul 10, 2025 | loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie. | ||
| CVE-2006-6673 | 0.03 | — | 0.03 | Dec 21, 2006 | WinFtp Server 2.0.2 allows remote attackers to cause a denial of service (crash) via long (1) PASV, (2) LIST, (3) USER, (4) PORT, and possibly other commands. | |||
| CVE-2020-37032 | 0.00 | — | 0.01 | Jan 30, 2026 | Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution… | |||
| CVE-2025-27889 | 0.00 | — | 0.00 | Jul 10, 2025 | Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker. | |||
| CVE-2025-47811 | 0.00 | — | 0.04 | Jul 10, 2025 | In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task… | |||
| CVE-2005-2634 | 0.00 | — | 0.05 | Aug 23, 2005 | Buffer overflow in the Log-SCR function in the "Log to Screen" feature in WinFtp Server 1.6.8 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long request. | |||
| CVE-2004-2400 | 0.00 | — | 0.00 | Dec 31, 2004 | WinFTP Server 1.6 stores username and password credentials in plaintext in the data\user.wfd file, which allows local users to gain access to the credentials. |
- risk 0.50cvss 7.2epss 0.03
Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe…
- risk 0.22cvss —epss 0.95
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by…
- risk 0.14cvss —epss 0.56
loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.
- CVE-2006-6673Dec 21, 2006risk 0.03cvss —epss 0.03
WinFtp Server 2.0.2 allows remote attackers to cause a denial of service (crash) via long (1) PASV, (2) LIST, (3) USER, (4) PORT, and possibly other commands.
- CVE-2020-37032Jan 30, 2026risk 0.00cvss —epss 0.01
Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution…
- CVE-2025-27889Jul 10, 2025risk 0.00cvss —epss 0.00
Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.
- CVE-2025-47811Jul 10, 2025risk 0.00cvss —epss 0.04
In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task…
- CVE-2005-2634Aug 23, 2005risk 0.00cvss —epss 0.05
Buffer overflow in the Log-SCR function in the "Log to Screen" feature in WinFtp Server 1.6.8 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long request.
- CVE-2004-2400Dec 31, 2004risk 0.00cvss —epss 0.00
WinFTP Server 1.6 stores username and password credentials in plaintext in the data\user.wfd file, which allows local users to gain access to the credentials.