Primary

Context

CrushFTP Cross-Site Scripting Vulnerability

Vulnerability

Patched

A Cross-Site Scripting (XSS) vulnerability has been identified in CrushFTP version 11.3.6_48. The issue arises in the Web-Based Server's file-sharing feature, which reflects filenames into an email body field without proper sanitization. This lack of sanitization allows for unintentional HTML injection.

Impact

The vulnerability allows users with 'Rename' permissions to inject HTML into filenames, which is then reflected to other users without their interaction, creating an unintentional HTML injection scenario.

Reproduction

To reproduce this vulnerability, upload a file to the CrushFTP server and rename it to include HTML tags, such as a header tag. After renaming, share the file and observe the injected HTML being rendered.

Remediation

Users are advised to update CrushFTP to version 11.3.7_60 or later, where this vulnerability has been addressed.

Added: Nov 12, 2025, 6:28 PM

Updated: Nov 12, 2025, 11:12 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.0

exploitability

6.8

remediation

7.7

relevance

1.1

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.0

exploitability

6.8

remediation

7.7

relevance

1.1

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CrushFTP Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CrushFTP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating