What is CVE-2026-44403?

CVE-2026-44403 is a high-severity vulnerability in Wftpserver Wing_ftp_server, classified under Code Injection. CVSS score: 7.2/10. Published 2026-05-12.

How severe is CVE-2026-44403?

High severity. CVSS v3 base score is 7.2 out of 10.

Is CVE-2026-44403 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Wftpserver Wing_ftp_server

CVE-2026-44403

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory fi…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.006 (70.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Affected products

Wftpserver Wing_ftp_server
Wing Ftp Server — versions 8.1.2, 8.1.3

Weakness classification (CWE)

CWE-94 — Code Injection

Public proof-of-concept exploits

ZemarKhos/CVE-2026-44403-WingFTP-v8.1.2-POC-Exploit

References

disclosure@vulncheck.com (vendor-advisory, Third Party Advisory)
disclosure@vulncheck.com (release-notes, Product, Release Notes)

Frequently asked questions

What is CVE-2026-44403?: CVE-2026-44403 is a high-severity vulnerability in Wftpserver Wing_ftp_server, classified under Code Injection. CVSS score: 7.2/10. Published 2026-05-12.
How severe is CVE-2026-44403?: High severity. CVSS v3 base score is 7.2 out of 10.
Is CVE-2026-44403 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.