SSRF in Python Software Foundation Cpython

CVE-2026-8328

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse22…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.001 (16.2th percentile) — read the EPSS interpretation.