CVE-2026-44403 HIGH

CVE-2026-44403: Wing FTP Server < 8.1.3 Authenticated Remote Code Execution via Session Serialization

Vendor Wing Ftp Server
Product Wing FTP Server
Weakness CWE-94 · Code injection
Published May 12, 2026
Last update May 13, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 13, 2026 Record updated