Description

The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.

INFO

Published Date :

2026-02-25T14:58:56.815Z

Last Modified :

2026-02-27T17:04:33.751Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27699 vulnerability.

Vendors Products
Patrickjuchli
  • Basic-ftp
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27699.

URL Resource
https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9 cve-icon cve-icon cve-icon
https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0 cve-icon cve-icon cve-icon
https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-27699 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-27699 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact