Description
FileZilla 3.40.0 contains a denial of service vulnerability in the local search functionality that allows local attackers to crash the application by supplying a malformed path string. Attackers can trigger the crash by entering a crafted path containing 384 'A' characters followed by 'BBBB' and 'CCCC' sequences in the search directory field and initiating a local search operation.
Published: 2026-04-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

FileZilla version 3.40.0 contains a vulnerability in its local search functionality that can cause the application to crash when a user supplies a specially crafted path string. The malicious string consists of 384 'A' characters followed by the sequences 'BBBB' and 'CCCC' in the search directory field, triggering a crash during a local search operation.

Affected Systems

The vulnerability affects both the FileZilla client and server products from the Filezilla Project, specifically release 3.40.0.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate severity. The EPSS score is below 1 %, suggesting the vulnerability is not commonly exploited, and it is not listed in the CISA KEV catalog. Attackers must have local access to the machine running FileZilla and can trigger the crash simply by launching the application and entering the malformed path. The impact is limited to the local system or user, resulting in a denial of service rather than compromising remote systems.

Generated by OpenCVE AI on April 9, 2026 at 20:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FileZilla client and server to a version newer than 3.40.0
  • Verify the update by checking the application’s version number
  • Monitor application logs for unexpected crashes during local search operations

Generated by OpenCVE AI on April 9, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Filezilla-project filezilla Client
CPEs cpe:2.3:a:filezilla-project:filezilla_client:3.40.0:-:*:*:*:*:*:*
Vendors & Products Filezilla-project filezilla Client

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Filezilla-project filezilla
Vendors & Products Filezilla-project filezilla

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description FileZilla 3.40.0 contains a denial of service vulnerability in the local search functionality that allows local attackers to crash the application by supplying a malformed path string. Attackers can trigger the crash by entering a crafted path containing 384 'A' characters followed by 'BBBB' and 'CCCC' sequences in the search directory field and initiating a local search operation.
Title FileZilla 3.40.0 Denial of Service via Local Search
First Time appeared Filezilla-project
Filezilla-project filezilla Server
Weaknesses CWE-532
CPEs cpe:2.3:a:filezilla-project:filezilla_server:3.40.0:*:*:*:*:*:*:*
Vendors & Products Filezilla-project
Filezilla-project filezilla Server
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Filezilla-project Filezilla Filezilla Client Filezilla Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T18:12:56.747Z

Reserved: 2026-04-05T15:16:49.556Z

Link: CVE-2019-25683

cve-icon Vulnrichment

Updated: 2026-04-06T18:12:49.998Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:46.800

Modified: 2026-04-09T19:17:49.647

Link: CVE-2019-25683

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:20Z

Weaknesses