CVE-2026-44403

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.vulncheck.com/advisories/wing-ftp-server-authenticated-remote-code-execution-via-session-serialization	Third Party Advisory
https://www.wftpserver.com/serverhistory.htm	Release Notes Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*

History

14 May 2026, 14:50

Type	Values Removed	Values Added
CPE		cpe:2.3:a:wftpserver:wing_ftp_server::::::::
First Time		Wftpserver Wftpserver wing Ftp Server
References	~~() https://www.vulncheck.com/advisories/wing-ftp-server-authenticated-remote-code-execution-via-session-serialization -~~	() https://www.vulncheck.com/advisories/wing-ftp-server-authenticated-remote-code-execution-via-session-serialization - Third Party Advisory
References	~~() https://www.wftpserver.com/serverhistory.htm -~~	() https://www.wftpserver.com/serverhistory.htm - Release Notes, Product

13 May 2026, 15:30

Type	Values Removed	Values Added
Summary	(en) Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().	(en) Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

12 May 2026, 22:16

Type	Values Removed	Values Added
References		() https://www.wftpserver.com/serverhistory.htm -

12 May 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-12 21:16

Updated : 2026-05-14 14:50

NVD link : CVE-2026-44403

Mitre link : CVE-2026-44403

CVE.ORG link : CVE-2026-44403

JSON object : View

Products Affected

wftpserver

wing_ftp_server

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

7.2 /10