CVE-2026-8328
FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
16th
The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
| CWE | CWE-918 |
| Vendor | python software foundation |
| Product | cpython |
| Published | May 13, 2026 |
| Last Updated | Jun 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for python software foundation cpython
Be the first to know when new unknown vulnerabilities affecting python software foundation cpython are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Python Software Foundation / CPython
0 < 3.13.14 3.14.0 < 3.14.6 3.15.0a1 < 3.15.0b2
References
github.com: https://github.com/python/cpython/issues/87451 github.com: https://github.com/python/cpython/pull/149648 mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/ github.com: https://github.com/python/cpython/commit/5dadc64673ce875ebfb24163907777dae0f6ca06 github.com: https://github.com/python/cpython/commit/7d95a1dc7382b55cba7fdd6a110336077584a4f0 github.com: https://github.com/python/cpython/commit/bb3446dda6c49b32e67c11dbbbf221b40be00763 github.com: https://github.com/python/cpython/commit/c88704431ea3248ca769384c13856330976fac1d github.com: https://github.com/python/cpython/commit/eac4fe3b2c77693790a5ef7dfab127c1fee81bf9
Credits
🔍 Qi Deng (https://github.com/ikow) Bénédikt Tran (https://github.com/picnixz) Gregory P. Smith (https://github.com/gpshead)