Primary

Context

FTP-Flask-Python Command Injection Vulnerability

Vulnerability

A command injection vulnerability exists in FTP-Flask-Python, specifically in the application's FTP management feature. The vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands. This issue arises because the 'Upload File' action on the '/ftp.html' endpoint constructs a shell command using the 'ftp_file' parameter and executes it with 'os.system()' without any proper input validation or sanitization.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where FTP-Flask-Python is running.

Reproduction

To reproduce this vulnerability, send a POST request to the '/ftp.html' endpoint with the 'submit' parameter set to 'Upload File' and the 'ftp_file' parameter containing the payload. The application will execute the command specified in the 'ftp_file' parameter on the server.

Added: Sep 9, 2025, 9:23 PM

Updated: Sep 9, 2025, 9:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.4

remediation

0.0

relevance

0.5

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.4

remediation

0.0

relevance

0.5

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FTP-Flask-Python Command Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating