CVE-2026-8328
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk32th percentile - higher than 32% of all known CVEs
Summary
Vulnerability in the ftpcp() function in Python's ftplib.py module. This function was not updated when CVE-2021-4189 was fixed, allowing an attacker to control the IP address and port passed to target.sendport().
Risk Assessment
An attacker can exploit this vulnerability to redirect FTP connections to arbitrary IP addresses and ports, potentially leading to SSRF (Server-Side Request Forgery) attacks or bypassing network security controls.
Recommendation
Immediately update the Python library to a version where the ftpcp() function has been properly patched to use the actual server IP address instead of the attacker-supplied address.
Original NVD description (English source)
The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.

