Security Advisory

CVE-2026-27699

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-02-25 14:58:56

Last updated 2026-02-27 17:04:33

Assigner GitHub_M

State PUBLISHED

Description

The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.

← Browse all CVEs View on cve.org ↗