crushftp
Communicationscommercial
Top products
Latest CVEs
The 15 most recently published vulnerabilities affecting crushftp.
- CVE-2025-63419Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanit...6.1
- CVE-2025-63420CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions.4.1
- CVE-2025-54309CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as ex...KEV9.0
- CVE-2025-32102CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the /WebInterface/function/ URI.5.0
- CVE-2025-32103CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows directory traversal via the /WebInterface/function/ URI to read files accessible by SMB at UNC share pathnames, bypassing Securit...5.0
- CVE-2025-31161CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April...KEV9.8
- CVE-2024-22910Cross Site Scripting (XSS) vulnerability in CrushFTP v.10.6.0 and v.10.5.5 allows an attacker to execute arbitrary code via a crafted payload.6.1
- CVE-2023-48795The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (fr...5.9
- CVE-2023-43177CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.9.8
- CVE-2021-44076An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cro...4.8
- CVE-2018-18288CrushFTP through 8.3.0 is vulnerable to credentials theft via URL redirection.6.1
- CVE-2017-14036CrushFTP before 7.8.0 and 8.x before 8.2.0 has XSS.6.1
- CVE-2017-14035CrushFTP 8.x before 8.2.0 has a serialization vulnerability.9.8
- CVE-2017-14037CrushFTP before 7.8.0 and 8.x before 8.2.0 has an HTTP header vulnerability.6.1
- CVE-2017-14038CrushFTP before 7.8.0 and 8.x before 8.2.0 has a redirect vulnerability.6.1