CVE-2026-28296

Description

A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.

How to fix CVE-2026-28296

To remediate CVE-2026-28296, upgrade the affected package to a fixed version below.

—upgrade to 1.46.2-2+deb11u1 or later

Is CVE-2026-28296 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.46.2-2+deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-28296