CVE-2026-60105

Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials.
Configurations

No configuration.

History

14 Jul 2026, 16:17

Type Values Removed Values Added
References
  • () https://www.vulncheck.com/blog/monsta-ftp-ssrf-ipv6-blocklist-bypass -

08 Jul 2026, 21:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-08 21:16

Updated : 2026-07-14 16:17


NVD link : CVE-2026-60105

Mitre link : CVE-2026-60105

CVE.ORG link : CVE-2026-60105


JSON object : View

Products Affected

No product.

CWE
CWE-918

Server-Side Request Forgery (SSRF)