Skip to main content

Wing Ftp Server

17 CVEs product

Monthly

CVE-2026-44403 HIGH POC This Week

Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

Code Injection RCE Wing Ftp Server
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2020-37079 MEDIUM POC This Month

Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. [CVSS 4.3 MEDIUM]

CSRF Wing Ftp Server
NVD Exploit-DB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2019-25267 HIGH POC This Week

Wing Ftp Server versions up to 6.0.7 contains a vulnerability that allows attackers to potentially execute arbitrary code with elevated system privileges (CVSS 7.8).

RCE Wing Ftp Server
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37032 HIGH POC This Week

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. [CVSS 8.8 HIGH]

RCE Wing Ftp Server
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2025-47813 MEDIUM POC KEV PATCH THREAT Act Now

loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.

Information Disclosure Wing Ftp Server
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.5%
CVE-2025-47812 CRITICAL POC KEV PATCH THREAT Act Now

Wing FTP Server before 7.4.4 contains a critical remote code execution vulnerability (CVE-2025-47812, CVSS 10.0) through null byte injection in user/admin web interfaces that enables arbitrary Lua code execution in session files. With EPSS 92.7% and KEV listing, this vulnerability guarantees unauthenticated root/SYSTEM code execution on affected servers, as the FTP service runs with maximum privileges by default.

RCE Code Injection Ftp Privilege Escalation Wing Ftp Server
NVD Exploit-DB
CVSS 3.1
10.0
EPSS
92.7%
Threat
7.8
CVE-2025-47811 MEDIUM POC This Month

In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior "fine to keep."

Privilege Escalation Wing Ftp Server
NVD
CVSS 3.1
4.1
EPSS
0.1%
CVE-2025-5196 HIGH POC This Month

A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Privilege Escalation Wing Ftp Server Red Hat
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
1.5%
CVE-2023-37881 HIGH This Week

Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.2.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Authentication Bypass Wing Ftp Server
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2023-37879 HIGH This Week

Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.2.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wing Ftp Server
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2023-37878 HIGH This Week

Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.2.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Wing Ftp Server
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2023-37875 MEDIUM This Month

Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).2.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wing Ftp Server
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2020-9470 HIGH POC This Week

An issue was discovered in Wing FTP Server 6.2.5 before February 2020. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Wing Ftp Server
NVD
CVSS 3.1
7.8
EPSS
0.6%
CVE-2020-8635 HIGH POC This Week

Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on installation directories and configuration files. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Apple Wing Ftp Server
NVD
CVSS 3.1
7.8
EPSS
0.8%
CVE-2020-8634 HIGH POC This Week

Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on files modified within the HTTP file management interface, resulting in files being saved with world-readable and. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Apple Wing Ftp Server
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2015-4108 MEDIUM POC PATCH This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in Wing FTP Server before 4.4.7 allow remote attackers to hijack the authentication of administrators for requests that (1) execute. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

CSRF RCE Wing Ftp Server
NVD
CVSS 2.0
6.8
EPSS
0.8%
CVE-2012-4729 MEDIUM This Month

Wing FTP Server before 4.1.1 allows remote authenticated users to cause a denial of service (daemon crash) via two zip commands. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Wing Ftp Server
NVD
CVSS 2.0
6.8
EPSS
0.7%
EPSS 0% CVSS 8.6
HIGH POC This Week

Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

Code Injection RCE Wing Ftp Server
NVD Exploit-DB VulDB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. [CVSS 4.3 MEDIUM]

CSRF Wing Ftp Server
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC This Week

Wing Ftp Server versions up to 6.0.7 contains a vulnerability that allows attackers to potentially execute arbitrary code with elevated system privileges (CVSS 7.8).

RCE Wing Ftp Server
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. [CVSS 8.8 HIGH]

RCE Wing Ftp Server
NVD Exploit-DB
EPSS 1% CVSS 4.3
MEDIUM POC KEV PATCH THREAT Act Now

loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.

Information Disclosure Wing Ftp Server
NVD GitHub VulDB
EPSS 93% 7.8 CVSS 10.0
CRITICAL POC KEV PATCH THREAT Act Now

Wing FTP Server before 7.4.4 contains a critical remote code execution vulnerability (CVE-2025-47812, CVSS 10.0) through null byte injection in user/admin web interfaces that enables arbitrary Lua code execution in session files. With EPSS 92.7% and KEV listing, this vulnerability guarantees unauthenticated root/SYSTEM code execution on affected servers, as the FTP service runs with maximum privileges by default.

RCE Code Injection Ftp +2
NVD Exploit-DB
EPSS 0% CVSS 4.1
MEDIUM POC This Month

In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior "fine to keep."

Privilege Escalation Wing Ftp Server
NVD
EPSS 1% CVSS 7.5
HIGH POC This Month

A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Privilege Escalation Wing Ftp Server Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.2.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Authentication Bypass Wing Ftp Server
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.2.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wing Ftp Server
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.2.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Wing Ftp Server
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).2.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wing Ftp Server
NVD
EPSS 1% CVSS 7.8
HIGH POC This Week

An issue was discovered in Wing FTP Server 6.2.5 before February 2020. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Wing Ftp Server
NVD
EPSS 1% CVSS 7.8
HIGH POC This Week

Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on installation directories and configuration files. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Apple Wing Ftp Server
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on files modified within the HTTP file management interface, resulting in files being saved with world-readable and. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Apple Wing Ftp Server
NVD
EPSS 1% CVSS 6.8
MEDIUM POC PATCH This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in Wing FTP Server before 4.4.7 allow remote attackers to hijack the authentication of administrators for requests that (1) execute. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

CSRF RCE Wing Ftp Server
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

Wing FTP Server before 4.1.1 allows remote authenticated users to cause a denial of service (daemon crash) via two zip commands. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Wing Ftp Server
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy