Cyber Resilience

CVE-2026-27699

CriticalPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0053 40.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27699 is a critical-severity Path Traversal (CWE-22) vulnerability in Patrickjuchli Basic-Ftp. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27699 is a path traversal vulnerability (CWE-22) in the `basic-ftp` FTP client library for Node.js, affecting versions prior to 5.2.0. The flaw exists in the `downloadToDir()` method, where a malicious FTP server can send directory listings with filenames containing path traversal sequences such as `../`. This causes downloaded files to be written outside the intended download directory on the client side.

The vulnerability can be exploited by any attacker who controls an FTP server to which a victim application connects using the affected library. Per the CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), exploitation is achievable remotely with low complexity, no privileges, and no user interaction. Attackers can achieve high integrity and availability impacts by writing files to arbitrary locations outside the specified directory on the victim's filesystem.

Mitigation is available in `basic-ftp` version 5.2.0, which patches the issue. Security advisories recommend updating to this version or later. Relevant resources include the GitHub security advisory at https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c, release notes at https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0, and the patching commit at https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files…

more

to be written outside the intended download directory. Version 5.2.0 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

The path traversal vulnerability enables a malicious FTP server to write downloaded files to arbitrary locations on the client filesystem, directly facilitating ingress of tools or malware over FTP (T1105).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39983Same product: Patrickjuchli Basic-Ftp
CVE-2026-41324Same product: Patrickjuchli Basic-Ftp
CVE-2026-20660Shared CWE-22
CVE-2026-23535Shared CWE-22
CVE-2026-27969Shared CWE-22
CVE-2026-40611Shared CWE-22
CVE-2026-7398Shared CWE-22
CVE-2026-39305Shared CWE-22
CVE-2026-32055Shared CWE-22
CVE-2026-42315Shared CWE-22

Affected Assets

patrickjuchli
basic-ftp
≤ 5.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring identification, reporting, and timely patching of the vulnerable basic-ftp library to version 5.2.0 or later.

prevent

Prevents path traversal exploitation by enforcing validation of server-supplied filenames in the downloadToDir() method to block sequences like '../' before writing files.

detect

Enables detection of the vulnerable basic-ftp library versions through regular vulnerability scanning and monitoring.

References