Crushftp: >> Crushftp >> 11.3.3_18 Security Vulnerabilities
Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-11-12
CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions.
CVSS Score
4.1
EPSS Score
0.001
Published
2025-11-07
CVE-2025-54309
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
Known exploited
CVSS Score
9.0
EPSS Score
0.74
Published
2025-07-18