CVE-2026-39983
highCVSS v3 Base Score
8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS Score
2.0%
Exploitation probability in 30 days
Top 16% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
Low
Integrity
High
Availability
Low
Published: April 9, 2026 (92 days ago)
Last Modified: April 9, 2026
Vendor: Red Hat
Fix Available: ✓ Yes
Source: REDHAT
Vulnerability Report
Generated by CyberWatcher
Description
A flaw was found in basic-ftp, an FTP client for Node.js. A remote attacker can exploit this vulnerability by injecting Carriage Return Line Feed (CRLF) sequences into file path parameters used by high-level APIs. This allows the attacker to split a single intended FTP command into multiple commands. Such command injection can lead to the execution of arbitrary commands, potentially compromising the integrity and availability of data or the system.
CWE
CWE-93Affected Products
Red Hat OpenShift AI (RHOAI)Red Hat OpenShift Container Platform 4Self-service automation portal 2Red Hat Developer Hub 1.8Red Hat Developer Hub 1.9