Lftp

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.8:*:*:*:*:*:*:*

part: a version: 2.6.8 update: *

VendorAlexander V. Lukyanov (28a40080-c498-5448-982e-b1c973ba9c07)
ProductLftp (a31b04ac-ff73-57f8-b741-36e3dfd04dc6)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:deb/debian/lftp purl2cpe 2026-06-01 10:13:08.187926
pkg:deb/ubuntu/lftp purl2cpe 2026-06-01 10:13:08.187928
pkg:github/lavv17/lftp purl2cpe 2026-06-01 10:13:08.187930
pkg:rpm/fedora/lftp purl2cpe 2026-06-01 10:13:08.187931
pkg:rpm/opensuse/lftp purl2cpe 2026-06-01 10:13:08.187933

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2010-2251 vulnerable 2026-06-08 04:55:06.133978 Details available
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
Published: 2010-07-06T14:00:00.000Z
Updated: 2024-08-07T02:25:07.558Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2003-0963 vulnerable 2026-06-08 04:47:22.931919 Details available
Buffer overflows in (1) try_netscape_proxy and (2) try_squid_eplf for lftp 2.6.9 and earlier allow remote HTTP servers to execute arbitrary code via long directory names that are processed by the ls or rels commands.
Published: 2003-12-17T05:00:00.000Z
Updated: 2024-08-08T02:12:35.281Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.