CVE-2026-39983

Published: Apr 09, 2026 Last Modified: Apr 14, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,6

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: high

Availability: low

Description

AI Translation Available

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0156

Percentile

0,8th

Updated

EPSS Score Trend (Last 7 Days)

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity

Potential Impacts:

Modify Application Data

Applicable Platforms

All platforms may be affected

View CWE Details

Application

Basic-Ftp by Patrickjuchli

Product Information

Vendor Patrickjuchli

Product Basic-Ftp

Version Range Affected

To 5.2.1 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:patrickjuchli:basic-ftp:*:*:*:*:*:node.js:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://github.com/patrickjuchli/basic-ftp/security/advisor…

https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-p…

https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c5…

https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde…

https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.…

https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1

https://github.com/patrickjuchli/basic-ftp/security/advisor…

https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-p…

CVE-2026-39983

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 7 Days)

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Common Consequences

Applicable Platforms

Basic-Ftp by Patrickjuchli

Product Information

Iscriviti alla newsletter