{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27699", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-23T17:56:51.202Z", "datePublished": "2026-02-25T14:58:56.815Z", "dateUpdated": "2026-02-25T14:58:56.815Z"}, "containers": {"cna": {"title": "Basic FTP has Path Traversal Vulnerability in its downloadToDir() method", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c"}, {"name": "https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9", "tags": ["x_refsource_MISC"], "url": "https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9"}, {"name": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0"}], "affected": [{"vendor": "patrickjuchli", "product": "basic-ftp", "versions": [{"version": "< 5.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T14:58:56.815Z"}, "descriptions": [{"lang": "en", "value": "The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()`\u00a0method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue."}], "source": {"advisory": "GHSA-5rq4-664w-9x2c", "discovery": "UNKNOWN"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:patrickjuchli:basic-ftp:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "422197F2-36F3-496A-BA4B-09EF41898163", "versionEndExcluding": "5.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()`\u00a0method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue."}], "id": "CVE-2026-27699", "lastModified": "2026-02-26T15:27:45.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-25T15:20:53.523", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "basic-ftp: basic-ftp: File overwrite due to path traversal", "id": "2442644", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442644"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27699", "public_date": "2026-02-25T14:58:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27699\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27699\nhttps://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9\nhttps://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0\nhttps://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c"], "statement": "In default configurations Red Hat on products affected applications do not allow for arbitrary file overwrites. The files which may be overwritten are scoped to the active user permissions that the process is executing with.", "threat_severity": "Important"}