Main Vulnerability Database SB20260409100

SB20260409100 - FTP command injection in basic-ftp

Published: April 9, 2026

Security Bulletin ID SB20260409100

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) CRLF injection (CVE-ID: CVE-2026-39983)

The vulnerability allows a remote attacker to inject arbitrary FTP commands.

The vulnerability exists due to improper neutralization of CRLF sequences in high-level path APIs in dist/Client.js and FtpContext.send() when processing attacker-controlled file path parameters. A remote attacker can supply a specially crafted path containing CRLF sequences to inject arbitrary FTP commands.

The issue affects methods such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir().

Remediation

Install update from vendor's website.

References

https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q
https://github.com/advisories/GHSA-chqc-8p9q-pq6q