CVE-2026-28295

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions FTP GVfs backend (affected versions not specified)

Description A flaw exists in the FTP GVfs backend where a malicious FTP server can exploit the system by providing a crafted passive mode (PASV) response containing an arbitrary IP address and port. The client unconditionally trusts this information and attempts to connect to the specified endpoint, potentially allowing the malicious server to probe for open ports accessible from the client’s network. This could allow an attacker to gather information about the network configuration of the client system.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2026-28295

OESA-2026-2321

OESA-2026-2322

OESA-2026-2323

OPENSUSE-SU-2026:10275-1

OPENSUSE-SU-2026:20451-1

SUSE-SU-2026:0916-1

SUSE-SU-2026:0923-1

SUSE-SU-2026:0960-1

SUSE-SU-2026:20988-1

USN-8114-1

Affected Products

Gvfs

Linuxmint

Ubuntu

CVE-2026-28295

Weakness Enumeration

Related Identifiers

Affected Products

References · 37