Primary

Context

Wing FTP Server Remote Code Execution Vulnerability via Session Serialization

Vulnerability

Patched

A remote code execution vulnerability has been identified in Wing FTP Server version 8.1.2. This issue arises from the session serialization process, which allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. The vulnerability exploits the unsafe serialization of session values into Lua source code, as closing delimiters are not properly escaped. Consequently, the injected code is executed when the compromised session is loaded using the loadfile() function.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the server.

Remediation

Users can upgrade to Wing FTP Server version 8.1.3 or later to address this vulnerability.

Added: May 12, 2026, 9:20 PM

Updated: May 12, 2026, 9:20 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

7.5

exploitability

3.8

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

7.5

exploitability

3.8

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Wing FTP Server Remote Code Execution Vulnerability via Session Serialization

Vulnerability

Impact

Remediation

Affected Products

Wing FTP Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating