๐Ÿ” CVE Alert

CVE-2026-60105

HIGH 8.6

Monsta FTP < 2.14.5 SSRF via IPv4-Mapped IPv6 Address Bypass

CVSS Score
8.6
EPSS Score
0.3%
EPSS Percentile
23th

Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials.

CWE CWE-918
Vendor monsta limited of new zealand
Product monsta ftp
Published Jul 8, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for monsta limited of new zealand monsta ftp

Be the first to know when new high vulnerabilities affecting monsta limited of new zealand monsta ftp are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

Monsta Limited of New Zealand / Monsta FTP
0 < 2.14.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
vulncheck.com: https://www.vulncheck.com/blog/monsta-ftp-ssrf-ipv6-blocklist-bypass monstaftp.com: https://www.monstaftp.com/notes/ vulncheck.com: https://www.vulncheck.com/advisories/monsta-ftp-ssrf-via-ipv4-mapped-ipv6-address-bypass

Credits

Valentin Lobstein (Chocapikk) VulnCheck