1. Home
  2. CVE Database
  3. CVE-2026-28295
MEDIUM · 4.3

CVE-2026-28295

A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditio...

Vulnerability Description

A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE

Related Weaknesses (CWE)

CWE-918

References

FAQ

What is CVE-2026-28295?

CVE-2026-28295 is a vulnerability with a CVSS score of 4.3 (MEDIUM). A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditio...

How severe is CVE-2026-28295?

CVE-2026-28295 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-28295?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.