Crushftp
Products
2- 18 CVEs
- 1 CVE
Recent CVEs
19| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-14035 | Cri | 0.64 | 9.8 | 0.02 | Aug 30, 2017 | CrushFTP 8.x before 8.2.0 has a serialization vulnerability. | ||
| CVE-2024-11986 | Cri | 0.62 | 9.6 | 0.01 | Dec 13, 2024 | Improper input handling in the 'Host Header' allows an unauthenticated attacker to store a payload in web application logs. When an Administrator views the logs using the application's standard functionality, it enables the execution of the payload, resulting in Stored XSS or… | ||
| CVE-2017-14038 | Med | 0.40 | 6.1 | 0.01 | Aug 30, 2017 | CrushFTP before 7.8.0 and 8.x before 8.2.0 has a redirect vulnerability. | ||
| CVE-2017-14037 | Med | 0.40 | 6.1 | 0.01 | Aug 30, 2017 | CrushFTP before 7.8.0 and 8.x before 8.2.0 has an HTTP header vulnerability. | ||
| CVE-2017-14036 | Med | 0.40 | 6.1 | 0.01 | Aug 30, 2017 | CrushFTP before 7.8.0 and 8.x before 8.2.0 has XSS. | ||
| CVE-2023-48795 | Med | 0.39 | 5.9 | 0.93 | Dec 18, 2023 | The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently… | ||
| CVE-2025-31161 | 0.28 | — | 1.00 | KEV | Apr 3, 2025 | CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the… | ||
| CVE-2024-4040 | 0.23 | — | 1.00 | KEV | Apr 22, 2024 | A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and… | ||
| CVE-2025-54309 | 0.18 | — | 0.92 | KEV | Jul 18, 2025 | CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025. | ||
| CVE-2023-43177 | 0.09 | — | 0.82 | Nov 17, 2023 | CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. | |||
| CVE-2025-63419 | 0.00 | — | 0.00 | Nov 12, 2025 | Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection. | |||
| CVE-2025-63420 | 0.00 | — | 0.00 | Nov 7, 2025 | CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions. | |||
| CVE-2025-32102 | 0.00 | — | 0.06 | Apr 15, 2025 | CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the /WebInterface/function/ URI. | |||
| CVE-2025-32103 | 0.00 | — | 0.12 | Apr 15, 2025 | CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows directory traversal via the /WebInterface/function/ URI to read files accessible by SMB at UNC share pathnames, bypassing SecurityManager restrictions. | |||
| CVE-2024-53552 | 0.00 | — | 0.01 | Dec 10, 2024 | CrushFTP 10 before 10.8.3 and 11 before 11.2.3 mishandles password reset, leading to account takeover. | |||
| CVE-2024-22910 | 0.00 | — | 0.01 | May 9, 2024 | Cross Site Scripting (XSS) vulnerability in CrushFTP v.10.6.0 and v.10.5.5 allows an attacker to execute arbitrary code via a crafted payload. | |||
| CVE-2021-44076 | 0.00 | — | 0.01 | Sep 15, 2022 | An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cross-Site Scripting (XSS). The payload can be executed in multiple scenarios, for… | |||
| CVE-2018-18288 | 0.00 | — | 0.01 | Dec 26, 2019 | CrushFTP through 8.3.0 is vulnerable to credentials theft via URL redirection. | |||
| CVE-2001-0582 | 0.00 | — | 0.01 | Aug 22, 2001 | Ben Spink CrushFTP FTP Server 2.1.6 and earlier allows a local attacker to access arbitrary files via a '..' (dot dot) attack, or variations, in (1) GET, (2) CD, (3) NLST, (4) SIZE, (5) RETR. |
- risk 0.64cvss 9.8epss 0.02
CrushFTP 8.x before 8.2.0 has a serialization vulnerability.
- risk 0.62cvss 9.6epss 0.01
Improper input handling in the 'Host Header' allows an unauthenticated attacker to store a payload in web application logs. When an Administrator views the logs using the application's standard functionality, it enables the execution of the payload, resulting in Stored XSS or…
- risk 0.40cvss 6.1epss 0.01
CrushFTP before 7.8.0 and 8.x before 8.2.0 has a redirect vulnerability.
- risk 0.40cvss 6.1epss 0.01
CrushFTP before 7.8.0 and 8.x before 8.2.0 has an HTTP header vulnerability.
- risk 0.40cvss 6.1epss 0.01
CrushFTP before 7.8.0 and 8.x before 8.2.0 has XSS.
- risk 0.39cvss 5.9epss 0.93
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently…
- risk 0.28cvss —epss 1.00
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the…
- risk 0.23cvss —epss 1.00
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and…
- risk 0.18cvss —epss 0.92
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
- CVE-2023-43177Nov 17, 2023risk 0.09cvss —epss 0.82
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
- CVE-2025-63419Nov 12, 2025risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.
- CVE-2025-63420Nov 7, 2025risk 0.00cvss —epss 0.00
CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions.
- CVE-2025-32102Apr 15, 2025risk 0.00cvss —epss 0.06
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the /WebInterface/function/ URI.
- CVE-2025-32103Apr 15, 2025risk 0.00cvss —epss 0.12
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows directory traversal via the /WebInterface/function/ URI to read files accessible by SMB at UNC share pathnames, bypassing SecurityManager restrictions.
- CVE-2024-53552Dec 10, 2024risk 0.00cvss —epss 0.01
CrushFTP 10 before 10.8.3 and 11 before 11.2.3 mishandles password reset, leading to account takeover.
- CVE-2024-22910May 9, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in CrushFTP v.10.6.0 and v.10.5.5 allows an attacker to execute arbitrary code via a crafted payload.
- CVE-2021-44076Sep 15, 2022risk 0.00cvss —epss 0.01
An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cross-Site Scripting (XSS). The payload can be executed in multiple scenarios, for…
- CVE-2018-18288Dec 26, 2019risk 0.00cvss —epss 0.01
CrushFTP through 8.3.0 is vulnerable to credentials theft via URL redirection.
- CVE-2001-0582Aug 22, 2001risk 0.00cvss —epss 0.01
Ben Spink CrushFTP FTP Server 2.1.6 and earlier allows a local attacker to access arbitrary files via a '..' (dot dot) attack, or variations, in (1) GET, (2) CD, (3) NLST, (4) SIZE, (5) RETR.