Crushftp: >> Crushftp >> 11.3.5_45 Security Vulnerabilities
Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-11-12
CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions.
CVSS Score
4.1
EPSS Score
0.001
Published
2025-11-07