CVE-2026-8328

EUVD-2026-30177
The ftpcp() function in Lib/ftplib.py was not updated when 
CVE-2021-4189 was fixed. While makepasv() was patched to replace 
server-supplied PASV host addresses with the actual peer address 
(getpeername()[0]), ftpcp() still calls parse227() directly and passes 
the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
PSFCNA
5.9 MEDIUM
NETWORK
LOW
NONE
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
pythoncpython
𝑥
< 3.13.14
CNA
pythoncpython
3.14.0 ≤
𝑥
< 3.14.6
CNA
Debian logo
Debian Releases
Debian Product
Codename
pypy3
bookworm
no-dsa
bullseye
postponed
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
no-dsa
python2.7
bullseye
vulnerable
python3.11
bookworm
no-dsa
bookworm (security)
vulnerable
python3.13
forky
3.13.14-1
fixed
sid
3.13.14-1
fixed
trixie
no-dsa
python3.14
forky
3.14.6-1
fixed
sid
3.14.6-1
fixed
python3.9
bullseye
postponed
bullseye (security)
vulnerable
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/python/cpython/commit/5dadc64673ce875ebfb24163907777dae0f6ca06
https://github.com/python/cpython/commit/7d95a1dc7382b55cba7fdd6a110336077584a4f0
https://github.com/python/cpython/commit/bb3446dda6c49b32e67c11dbbbf221b40be00763
https://github.com/python/cpython/commit/c88704431ea3248ca769384c13856330976fac1d
https://github.com/python/cpython/commit/eac4fe3b2c77693790a5ef7dfab127c1fee81bf9
https://github.com/python/cpython/issues/87451
https://github.com/python/cpython/pull/149648
https://mail.python.org/archives/list/security-announce@python.org/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/