← Back
2026-05-12 20:43CVE-2026-44403VulnCheck
PUBLISHED5.2CWE-94

Wing FTP Server 8.1.2 Authenticated Remote Code Execution via Session Serialization

Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

Problem type

Affected products

Wing FTP Server

Wing FTP Server

8.1.2 - AFFECTED

8.1.3 - UNAFFECTED

References

vulncheck.com

https://www.vulncheck.com/advisories/wing-ftp-server-authenticated-remote-code-execution-via-session-serialization

vendor-advisory
wftpserver.com

https://www.wftpserver.com/serverhistory.htm

release-notes

GitHub Security Advisories

GHSA-ffh5-r5xj-cgmg

Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the...

https://github.com/advisories/GHSA-ffh5-r5xj-cgmg

Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-44403

vulncheck.com

https://www.vulncheck.com/advisories/wing-ftp-server-authenticated-remote-code-execution-via-session-serialization

wftpserver.com

https://www.wftpserver.com/serverhistory.htm

github.com

https://github.com/advisories/GHSA-ffh5-r5xj-cgmg

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-44403
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-44403",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-05-12T21:12:34.823Z",
    "dateReserved": "2026-05-05T21:38:43.137Z",
    "datePublished": "2026-05-12T20:43:41.848Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-05-12T21:12:34.823Z"
      },
      "datePublic": "2026-05-12T21:00:00.000Z",
      "title": "Wing FTP Server 8.1.2 Authenticated Remote Code Execution via Session Serialization",
      "descriptions": [
        {
          "lang": "en",
          "value": "Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().</p>"
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "Wing FTP Server",
          "product": "Wing FTP Server",
          "defaultStatus": "unknown",
          "versions": [
            {
              "version": "8.1.2",
              "status": "affected",
              "versionType": "semver"
            },
            {
              "version": "8.1.3",
              "status": "unaffected",
              "versionType": "semver"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')",
              "cweId": "CWE-94",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.vulncheck.com/advisories/wing-ftp-server-authenticated-remote-code-execution-via-session-serialization",
          "tags": [
            "vendor-advisory"
          ]
        },
        {
          "url": "https://www.wftpserver.com/serverhistory.htm",
          "tags": [
            "release-notes"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "HIGH",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH"
          }
        },
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Ünsal Furkan Harani",
          "type": "finder"
        }
      ]
    }
  }
}