Cyber Resilience

CVE-2026-44403

HighPublic PoCRCE

Published: 12 May 2026

Published
12 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0264 83.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-44403 is a high-severity Code Injection (CWE-94) vulnerability in Wftpserver Wing Ftp Server. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values…

more

into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.011 Lua Execution
Adversaries may abuse Lua commands and scripts for execution.
Why these techniques?

Authenticated RCE via unsafe Lua code injection into session serialization (CWE-94), directly enabling public-facing app exploitation and Lua interpreter abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-47812Same product: Wftpserver Wing Ftp Server
CVE-2020-37032Same product: Wftpserver Wing Ftp Server
CVE-2025-47813Same product: Wftpserver Wing Ftp Server
CVE-2025-27889Same product: Wftpserver Wing Ftp Server
CVE-2019-25267Same product: Wftpserver Wing Ftp Server
CVE-2026-22771Shared CWE-94
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94

Affected Assets

wftpserver
wing ftp server
≤ 8.1.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References