CVE-2026-28296 MEDIUM

CVE-2026-28296: Gvfs: ftp gvfs backend: arbitrary ftp command injection via crlf sequences in file paths

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Weakness CWE-93 · CRLF injection
Published February 26, 2026
Last update February 26, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.

Key dates

02Disclosure timeline

February 26, 2026 CVE published
February 26, 2026 Record updated