CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47811
https://notcve.org/view.php?id=CVE-2025-47811
10 Jul 2025 — In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escala... • https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812 • CWE-267: Privilege Defined With Unsafe Actions •
CVSS: 3.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27889
https://notcve.org/view.php?id=CVE-2025-27889
10 Jul 2025 — Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker. • https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27889.txt • CWE-15: External Control of System or Configuration Setting •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47813
https://notcve.org/view.php?id=CVE-2025-47813
10 Jul 2025 — loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie. • https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 10.0EPSS: 90%CPEs: 1EXPL: 12CVE-2025-47812 – Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
https://notcve.org/view.php?id=CVE-2025-47812
02 Jul 2025 — In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts. Wing FTP Server allows arbitrary Lua code injection via a NULL-byte (%00) tru... • https://packetstorm.news/files/id/204883 • CWE-158: Improper Neutralization of Null Byte or NUL Character •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37875 – Cross-Site Scripting Vulnerability in Wing FTP Server <= 7.2.0
https://notcve.org/view.php?id=CVE-2023-37875
12 Sep 2023 — Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).This issue affects Wing FTP Server: <= 7.2.0. La codificación incorrecta o el escape de salida en Wing FTP Server (User Web Client) permite Cross-Site Scripting (XSS). Este problema afecta al Servidor FTP de Wing: <= 7.2.0. • https://www.wftpserver.com/serverhistory.htm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-116: Improper Encoding or Escaping of Output •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37878 – Insecure Default Permissions in Wing FTP Server <= 7.2.0
https://notcve.org/view.php?id=CVE-2023-37878
12 Sep 2023 — Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0. Los permisos predeterminados inseguros en Wing FTP Server (Admin Web Client) permiten la escalada de privilegios. Este problema afecta al servidor FTP de Wing: <= 7.2.0. • https://www.wftpserver.com/serverhistory.htm • CWE-276: Incorrect Default Permissions •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37879 – Exposed Session Variable in Wing FTP Server <= 7.2.0
https://notcve.org/view.php?id=CVE-2023-37879
12 Sep 2023 — Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: <= 7.2.0. El almacenamiento inseguro de información sensible en Wing FTP Server (User Web Client) permite la obtención de información. Este problema afecta al servidor FTP de Wing: <= 7.2.0. • https://www.wftpserver.com/serverhistory.htm • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37881 – Weak Access Control between Domains in Wing FTP Server <= 7.2.0
https://notcve.org/view.php?id=CVE-2023-37881
12 Sep 2023 — Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0. El control de acceso débil en Wing FTP Server (Admin Web Client) permite la escalada de privilegios. Este problema afecta al servidor FTP de Wing: <= 7.2.0. • https://www.wftpserver.com/serverhistory.htm • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 37%CPEs: 1EXPL: 1CVE-2020-27735
https://notcve.org/view.php?id=CVE-2020-27735
20 Jan 2021 — An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser. Se detectó un problema de tipo XSS en Wing FTP versión 6.4.4. Un elemento IFRAME arbitrario puede ser incluido en las páginas de ayuda por medio de un enlace diseñado, conllevando a una ejecución de HTML y JavaScript arbitrario (en espacio aislado) en el navegador del usuario • https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 2CVE-2020-9470
https://notcve.org/view.php?id=CVE-2020-9470
07 Mar 2020 — An issue was discovered in Wing FTP Server 6.2.5 before February 2020. Due to insecure permissions when handling session cookies, a local user may view the contents of the session and session_admin directories, which expose active session cookies within the Wing FTP HTTP interface and administration panel. These cookies may be used to hijack user and administrative sessions, including the ability to execute Lua commands as root within the administration panel. Se detectó un problema en Wing FTP Server versi... • https://github.com/Al1ex/CVE-2020-9470 • CWE-732: Incorrect Permission Assignment for Critical Resource •