Skip to main content

Wing Ftp Server CVE-2026-44403

| EUVDEUVD-2026-29848 HIGH
Code Injection (CWE-94)
2026-05-12 VulnCheck GHSA-ffh5-r5xj-cgmg
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 12, 2026 - 21:22 NVD
7.2 (HIGH) 8.6 (HIGH)
CVE Published
May 12, 2026 - 20:43 nvd
HIGH 8.6

DescriptionCVE.org

Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

Analysis

Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

CVE-2025-47812 CRITICAL POC
10.0 Jul 10

Wing FTP Server before 7.4.4 contains a critical remote code execution vulnerability (CVE-2025-47812, CVSS 10.0) through

CVE-2025-47813 MEDIUM POC
4.3 Jul 10

loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a

CVE-2020-37032 HIGH POC
8.8 Jan 30

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authentica

CVE-2019-25267 HIGH POC
7.8 Feb 05

Wing Ftp Server versions up to 6.0.7 contains a vulnerability that allows attackers to potentially execute arbitrary cod

CVE-2020-9470 HIGH POC
7.8 Mar 07

An issue was discovered in Wing FTP Server 6.2.5 before February 2020. Rated high severity (CVSS 7.8), this vulnerabilit

CVE-2020-8635 HIGH POC
7.8 Mar 07

Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on installation directories and configura

CVE-2020-8634 HIGH POC
7.8 Mar 07

Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on files modified within the HTTP file ma

CVE-2015-4108 MEDIUM POC
6.8 Jun 10

Multiple cross-site request forgery (CSRF) vulnerabilities in Wing FTP Server before 4.4.7 allow remote attackers to hij

CVE-2023-37881 HIGH
8.8 Sep 12

Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.2.0. Rated high severity (CVSS

CVE-2023-37878 HIGH
8.8 Sep 12

Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.2.0. Rated high sever

CVE-2020-37079 MEDIUM POC
4.3 Feb 07

Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administrat

CVE-2025-47811 MEDIUM POC
4.1 Jul 10

In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or S

Share

CVE-2026-44403 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy