Description
SmartFTP Client 9.0.2615.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can paste a buffer of 300 repeated characters into the Host connection parameter to trigger an application crash.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability in SmartFTP Client version 9.0.2615.0 allows an attacker to trigger a crash by entering an overly long string into the Host field. When a buffer of 300 repeated characters is supplied, the application fails, resulting in a loss of availability for the user and potentially denying service to users who rely on the client for file transfers.

Affected Systems

The issue is limited to SmartFTP Client 9.0.2615.0, which is typically installed on Windows desktops used for file transfer tasks. Users who run this specific client version on a local system are susceptible to the denial of service.

Risk and Exploitability

The CVSS score is 6.9, indicating moderate severity. No exploit probability score or KEV listing is available, suggesting that automated exploitation is not yet documented. The attack vector is local, requiring the attacker to run the client or supply the Host field directly. Overall, the risk is moderate because the impact is confined to application availability and only occurs with local access.

Generated by OpenCVE AI on March 30, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SmartFTP Client to the latest version that addresses the Host field overflow.
  • Download the newest installer from the official SmartFTP website and verify the version number after installation.
  • If an upgrade is not immediately possible, avoid using the Host field or limit input length to less than 300 characters until a patch is available.

Generated by OpenCVE AI on March 30, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description SmartFTP Client 9.0.2615.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can paste a buffer of 300 repeated characters into the Host connection parameter to trigger an application crash.
Title SmartFTP Client 9.0.2615.0 Denial of Service via Host Field
Weaknesses CWE-466
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T11:02:25.501Z

Reserved: 2026-03-30T11:00:13.926Z

Link: CVE-2018-25234

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T12:16:17.510

Modified: 2026-03-30T13:26:07.647

Link: CVE-2018-25234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:55:50Z

Weaknesses