Server-side Request Forgery Vulnerability in Monsta FTP
CVE-2026-60105

7.7HIGH

Key Information:

Vendor
CVE Published:
8 July 2026

What is CVE-2026-60105?

Monsta FTP versions before 2.14.5 are vulnerable to a server-side request forgery (SSRF) defect stemming from an incomplete IP blocklist check in the isBlockedIP() function. This flaw allows an unauthenticated attacker to exploit the fetchRemoteFile action, retrieving a CSRF token from the public getSystemVars endpoint. By using a source URL that resolves to an IPv4-mapped address, the attacker may trick the server into initiating HTTP requests to internal services and redirect responses to an FTP location controlled by the attacker. Consequently, this vulnerability can expose sensitive internal resources and potentially leak cloud instance metadata credentials.

Affected Version(s)

Monsta FTP 0

References

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valentin Lobstein (Chocapikk)
VulnCheck
.