Vulnerability in ftplib.py Affects Python Software Foundation Products
CVE-2026-8328

5.9MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
13 May 2026

What is CVE-2026-8328?

The ftpcp() function in Lib/ftplib.py has a security flaw where it inadequately validates the input it receives from an attacker. Despite a patch applied to the makepasv() function, which protects against the acceptance of server-supplied PASV host addresses, ftpcp() still directly calls parse227() allowing the raw input, including IP addresses and ports controlled by an attacker, to be processed by target.sendport(). This oversight can enable potential exploitations where an attacker manipulates connections, undermining the integrity and security of the affected systems.

Affected Version(s)

CPython 0 < 3.15.0

References

https://github.com/python/cpython/issues/87451
issue-tracking
https://github.com/python/cpython/pull/149648
patch
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Qi Deng (https://github.com/ikow)
Bénédikt Tran (https://github.com/picnixz)
Gregory P. Smith (https://github.com/gpshead)
.