CVE-2026-8328

Name of the Vulnerable Software and Affected Versions CPython (affected versions not specified)

Description The ftpcp() function in Lib/ftplib.py fails to use the actual peer address, instead trusting the host address supplied by the server during a PASV command. This occurs because ftpcp() calls parse227() directly and passes the raw, attacker-controllable IP address and port to target.sendport(), leading to a Server-Side Request Forgery (SSRF), where a server is tricked into making unintended requests to internal or external resources.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.