QwikSec

Security Database

CVE

CWE

Training

CVE-2026-8328

Published: May 13, 2026

Modified: May 14, 2026

PUBLISHED

Description

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.

Vendor	Product	Versions
Python Software Foundation	CPython	affected `0 - < 3.15.0`

Weaknesses (CWE)

References

https://github.com/python/cpython/issues/87451

issue-tracking

https://github.com/python/cpython/pull/149648

patch

https://mail.python.org/archives/list/[email protected]/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.