CVE-2026-8328

UNKNOWN 0.0

FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.

CWE	CWE-918
Vendor	python software foundation
Product	cpython
Published	May 13, 2026
Last Updated	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for python software foundation cpython

Be the first to know when new unknown vulnerabilities affecting python software foundation cpython are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Python Software Foundation / CPython

0 < 3.15.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/python/cpython/issues/87451 github.com: https://github.com/python/cpython/pull/149648 mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/

Credits

🔍 Qi Deng (https://github.com/ikow) Bénédikt Tran (https://github.com/picnixz) Gregory P. Smith (https://github.com/gpshead)