CVE-2026-44403
Wing FTP Server < 8.1.3 Authenticated Remote Code Execution via Session Serialization
CVSS Score
7.2
EPSS Score
0.0%
EPSS Percentile
0th
Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().
| CWE | CWE-94 |
| Vendor | wing ftp server |
| Product | wing ftp server |
| Published | May 12, 2026 |
| Last Updated | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for wing ftp server wing ftp server
Be the first to know when new high vulnerabilities affecting wing ftp server wing ftp server are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
Wing FTP Server / Wing FTP Server
8.1.2
References
Credits
Γnsal Furkan Harani