What is the CVSS score of CVE-2026-27699?

CVE-2026-27699 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Node.js are affected by CVE-2026-27699?

Organizations using the basic-ftp Node.js library are at critical risk of unauthorized file system access through a path traversal vulnerability that enables attackers to read, modify, or delete…. A patch is available.

Is there a public PoC exploit available for CVE-2026-27699?

Yes, a public proof-of-concept exploit is available for CVE-2026-27699. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-27699?

Within 24 hours: Identify all applications and services using basic-ftp library and document their versions and deployment locations. Within 7 days: Apply vendor patch to upgrade basic-ftp to version 5.2.0 or later across all development, staging, and production environments; prioritize systems handling sensitive data. Within 30 days: Conduct post-patch verification testing and security scanning to confirm remediation; review access logs for signs of exploitation.

Node.js CVE-2026-27699

CRITICAL

Path Traversal (CWE-22)

2026-02-25 security-advisories@github.com

GHSA-5rq4-664w-9x2c

Node.js Path Traversal Basic Ftp Red Hat Suse

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

SUSE

CRITICAL

qualitative

Red Hat

7.5 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 26, 2026 - 15:27 vuln.today

Public exploit code

Patch released

Feb 26, 2026 - 15:27 nvd

Patch available

CVE Published

Feb 25, 2026 - 15:20 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

The basic-ftp FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the downloadToDir() method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (../) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.

AnalysisAI

Path traversal in basic-ftp Node.js FTP client library before 5.2.0 allows malicious FTP servers to write files outside the intended download directory. PoC and patch available.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Connect to malicious FTP server

Exploit

Receive crafted directory listing with ../ sequences

Execution

downloadToDir() writes files outside target directory

Impact

Arbitrary file write on client filesystem

Access

Connect to malicious FTP server

Exploit

Receive crafted directory listing with ../ sequences

Execution

downloadToDir() writes files outside target directory

Impact

Arbitrary file write on client filesystem

Vulnerability AssessmentAI

Exploitation	Application uses basic-ftp library version prior to 5.2.0 with downloadToDir() method against untrusted FTP servers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.1. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Malicious FTP server returns filenames with '../' traversal, basic-ftp writes downloaded files outside the intended directory, overwriting configuration or injecting code.
Remediation	Update basic-ftp to 5.2.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all applications and services using basic-ftp library and document their versions and deployment locations. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL Act Now

9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a

CVE-2026-48714 CRITICAL Act Now

9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p

CVE-2026-53609 CRITICAL Act Now

9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object

CVE-2026-48054 HIGH This Week

8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied

CVE-2026-53608 HIGH This Week

8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
SUSE Linux Enterprise Server 16.0	Fixed
SUSE Linux Enterprise Server 16.1	Fixed
SUSE Linux Enterprise Server for SAP applications 16.0	Fixed
SUSE Linux Enterprise Server for SAP applications 16.1	Fixed

CVE-2026-27699 vulnerability details – vuln.today

Back

Node.js CVE-2026-27699

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code