Home / Vulnerability Intelligence / CVE-2026-27699

CVE-2026-27699 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: February 26, 2026

basic-ftp - Path Traversal

Published: February 25, 2026Updated: February 26, 2026PoC AvailableRemote Exploitable

Overview

basic-ftp FTP client library for Node.js < 5.2.0 contains a path traversal caused by improper handling of directory listings in downloadToDir() method, letting malicious FTP servers write files outside intended directories, exploit requires interaction with a malicious FTP server.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 5.6%(Probability of exploitation in next 30 days)

Impact

Malicious FTP servers can write files outside intended directories, potentially overwriting critical files and compromising the system.

Mitigation

Update to version 5.2.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 25, 2026

🔴 CVE-2026-27699 - Critical (9.1) The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversa... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27699/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-27699
Severity: Critical
CVSS Score: 9.1
Type: path_traversal
Status: confirmed
EPSS: 5.6%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score

5.6%Probability of exploitation in the next 30 days