CVE-2026-8328

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published May 13, 2026

Vendor unknown

Description

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.

References

https://github.com/python/cpython/issues/87451
https://github.com/python/cpython/pull/149648
https://mail.python.org/archives/list/security-announce@python.org/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/