CVE-2026-27699 CRITICAL

CVE-2026-27699: Basic FTP has Path Traversal Vulnerability in its downloadToDir() method

Vendor Patrickjuchli
Product basic-ftp
Weakness CWE-22 · Path traversal
Published February 25, 2026
Last update February 27, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
February 27, 2026 Record updated