CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-27699

The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 12.4%

CVSS Severity

CVSS v3 Score 9.1

References

https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9
https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0
https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c

Products affected by CVE-2026-27699

Patrickjuchli » Basic-Ftp » Version: Any

cpe:2.3:a:patrickjuchli:basic-ftp:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-27699

Products

Pricing

Contact Us