CVE-2026-44403

Name of the Vulnerable Software and Affected Versions Wing FTP Server version 8.1.2

Description An authenticated remote code execution issue exists in the session serialization mechanism. Authenticated administrators can inject arbitrary Lua code through the domain admin mydirectory field. This occurs because session values are unsafely serialized into Lua source code without proper escaping of closing delimiters, leading to the execution of injected code when the poisoned session is loaded via the loadfile() function.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.