CVE Catalog

CVE-2026-8328

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile - higher than 32% of all known CVEs

Summary

Vulnerability in the ftpcp() function in Python's ftplib.py module. This function was not updated when CVE-2021-4189 was fixed, allowing an attacker to control the IP address and port passed to target.sendport().

Risk Assessment

An attacker can exploit this vulnerability to redirect FTP connections to arbitrary IP addresses and ports, potentially leading to SSRF (Server-Side Request Forgery) attacks or bypassing network security controls.

Recommendation

Immediately update the Python library to a version where the ftpcp() function has been properly patched to use the actual server IP address instead of the attacker-supplied address.

Original NVD description (English source)

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS