CVE-2026-8328— FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Python Software Foundation | CPython | < 3.15.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8328
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
Source: NVD (National Vulnerability Database)
Vulnerability Description
The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
CPython 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
CPython是Python基金会的一个用C语言实现的Python解释器。 CPython存在代码问题漏洞,该漏洞源于Lib/ftplib.py中的ftpcp()函数,可能导致攻击者控制IP地址和端口。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Python Software Foundation | CPython | 0 ~ 3.15.0 | - |
II. Public POCs for CVE-2026-8328
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-8328
请登录查看更多情报信息。
- https://github.com/python/cpython/issues/87451issue-tracking
- https://nvd.nist.gov/vuln/detail/CVE-2026-8328
IV. Related Vulnerabilities
Same product: CPython
- CVE-2026-7210
The expat and elementtree parsers use insufficient entropy f - CVE-2026-3087
shutil.unpack_archive() doesn't check for Windows absolute p - CVE-2026-6019
BaseCookie.js_output() does not neutralize embedded characte - CVE-2026-3298
Out-of-bounds write in Windows asyncio.ProacterEventLoop.soc - CVE-2026-5713
Out-of-bounds read/write during remote profiling and asyncio
Same vendor: Python Software Foundation
- CVE-2026-7210
The expat and elementtree parsers use insufficient entropy f - CVE-2026-3087
shutil.unpack_archive() doesn't check for Windows absolute p - CVE-2026-6019
BaseCookie.js_output() does not neutralize embedded characte - CVE-2026-3298
Out-of-bounds write in Windows asyncio.ProacterEventLoop.soc - CVE-2026-5713
Out-of-bounds read/write during remote profiling and asyncio
Same weakness: CWE-918
- CVE-2026-8725
CoreWorxLab CAAL test-hass Endpoint webhooks.py server-side - CVE-2026-45338
Open WebUI: SSRF via OAuth Profile Picture URL in _process_p - CVE-2026-45347
Open WebUI: Blind server side request forgery (SSRF) via the - CVE-2026-45400
Open WebUI: Server-Side Request Forgery (SSRF) bypass in `va - CVE-2026-45401
Open WebUI: SSRF Bypass via HTTP Redirect Following in Web-F
V. Comments for CVE-2026-8328
No comments yet