Description
Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().
Published: 2026-05-12
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile(), giving the attacker full code execution on the server.

Affected Systems

Wing FTP Server versions before 8.1.3 are affected. No later versions are listed as impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.6, indicating high severity, and the EPSS score is less than 1%, indicating a low but non‑zero exploitation probability. It is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported yet. The attack requires a valid administrator login, so attackers must first authenticate before leveraging the vulnerability, likely via the web interface or FTP control connections.

Generated by OpenCVE AI on May 13, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Wing FTP Server release that addresses the session serialization flaw.
  • If an immediate upgrade is not possible, restrict the domain admin mydirectory field to disallow Lua syntax or disable its editing capability for administrators.
  • Ensure that only trusted administrators have access to the administration interface and monitor session logs for anomalous activity.

Generated by OpenCVE AI on May 13, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wftpserver
Wftpserver wing Ftp Server
CPEs cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*
Vendors & Products Wftpserver
Wftpserver wing Ftp Server

Wed, 13 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile(). Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().
Title Wing FTP Server 8.1.2 Authenticated Remote Code Execution via Session Serialization Wing FTP Server < 8.1.3 Authenticated Remote Code Execution via Session Serialization
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wing Ftp Server
Wing Ftp Server wing Ftp Server
Vendors & Products Wing Ftp Server
Wing Ftp Server wing Ftp Server

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
References

Tue, 12 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().
Title Wing FTP Server 8.1.2 Authenticated Remote Code Execution via Session Serialization
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Wftpserver Wing Ftp Server
Wing Ftp Server Wing Ftp Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-13T13:20:40.343Z

Reserved: 2026-05-05T21:38:43.137Z

Link: CVE-2026-44403

cve-icon Vulnrichment

Updated: 2026-05-13T12:22:13.338Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T21:16:16.667

Modified: 2026-05-14T14:50:51.863

Link: CVE-2026-44403

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T16:30:36Z

Weaknesses