CVE-2026-28296

EUVD-2026-8861
A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.
CRLF Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
gvfs
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
1.46.2-2+deb11u1
fixed
forky
1.60.0-1
fixed
sid
1.60.0-1
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2026-28296
https://bugzilla.redhat.com/show_bug.cgi?id=2443003