CVE-2026-8328

N/A Unknown

Published: May 13, 2026 Modified: June 10, 2026

Description

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/python/cpython/commit/5dadc64673ce875ebfb24163907777dae0f6ca06

Source: cna@python.org

https://github.com/python/cpython/commit/7d95a1dc7382b55cba7fdd6a110336077584a4f0

Source: cna@python.org

https://github.com/python/cpython/commit/bb3446dda6c49b32e67c11dbbbf221b40be00763

Source: cna@python.org

https://github.com/python/cpython/commit/c88704431ea3248ca769384c13856330976fac1d

Source: cna@python.org

https://github.com/python/cpython/commit/eac4fe3b2c77693790a5ef7dfab127c1fee81bf9

Source: cna@python.org

https://github.com/python/cpython/issues/87451

Source: cna@python.org

https://github.com/python/cpython/pull/149648

Source: cna@python.org

https://mail.python.org/archives/list/security-announce@python.org/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/

Source: cna@python.org

8 reference(s) from NVD

Quick Stats

CVSS v3 Score

N/A / 10.0

EPSS (Exploit Probability)

0.4%

32th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-918

Related CVEs

CVE-2026-57346 7.1

CVE-2026-25707 8.8

CVE-2026-13601 7.1

CVE-2026-13557 4.3

CVE-2026-13556 4.3