CVE-2026-8328

Summary

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.

Affected Software

VendorProductVersion RangeStatus
Python Software FoundationCPython0 < 3.13.14affected
Python Software FoundationCPython3.14.0 < 3.14.6affected
Python Software FoundationCPython3.15.0a1 < 3.15.0b2affected

Weaknesses

  • CWE-918: CWE-918 Server-Side request forgery (SSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References