Home / Vulnerability Intelligence / CVE-2026-44403

CVE-2026-44403 - Vulnerability Analysis

HighCVSS: 7.2

Last Updated: May 13, 2026

Wing FTP Server - Remote Code Execution

Published: May 12, 2026Updated: May 13, 2026PoC AvailableRemote Exploitable

Overview

Wing FTP Server 8.1.2 contains an authenticated remote code execution caused by unsafe serialization of session values into Lua source code in the domain admin mydirectory field, letting authenticated administrators execute arbitrary Lua code remotely, exploit requires authenticated administrator privileges.

Severity & Score

Severity: High

CVSS Score: 7.2

Impact

Authenticated administrators can execute arbitrary Lua code remotely, potentially leading to full server compromise.

Mitigation

Update to the latest version of Wing FTP Server.

References

https://www.wftpserver.com/serverhistory.htm
https://www.vulncheck.com/advisories/wing-ftp-server-authenticated-remote-code-execution-via-session-serialization

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-44403
Severity: High
CVSS Score: 7.2
Type: undefined
Status: unconfirmed

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H