In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior "fine to keep."

CVE Database V5

Detailed information about CVE-2025-47811: CWE-267 Privilege Defined With Unsafe Actions in wftpserver Wing FTP Server affecting wftpserver Wing FTP Server. Get

CVE-2025-47811: CWE-267 Privilege Defined With Unsafe Actions in wftpserver Wing FTP Server - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-47811: CWE-267 Privilege Defined With Unsafe Actions in wftpserver Wing FTP Server

Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.

Detailed information about CVE-2025-27889: CWE-15 External Control of System or Configuration Setting in wftpserver Wing FTP Server affecting wftpserver Wing FT

CVE-2025-27889: CWE-15 External Control of System or Configuration Setting in wftpserver Wing FTP Server - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-27889: CWE-15 External Control of System or Configuration Setting in wftpserver Wing FTP Server

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.

Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

Detailed information about CVE-2025-23048: CWE-284 Improper Access Control in Apache Software Foundation Apache HTTP Server affecting Apache Software Foundation

CVE-2025-23048: CWE-284 Improper Access Control in Apache Software Foundation Apache HTTP Server - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-23048: CWE-284 Improper Access Control in Apache Software Foundation Apache HTTP Server

A vulnerability was found in code-projects Mobile Shop 1.0 and classified as critical. This issue affects some unknown processing of the file /LoginAsAdmin.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7409 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Mobile Shop application. The flaw exists in the /LoginAsAdmin.php file, specifically in the handling of the 'email' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially bypassing authentication or extracting sensitive data from the backend database. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with the vector highlighting no privileges or user interaction needed, and low impact on confidentiality, integrity, and availability. Although no public exploits are currently known to be in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation. The lack of available patches or mitigations from the vendor at this time further elevates the threat. SQL Injection vulnerabilities are among the most severe web application security issues because they can lead to unauthorized data access, data manipulation, or full system compromise depending on the database privileges of the affected application. Given that this vulnerability affects an e-commerce/mobile shop platform, the potential for financial data exposure and administrative account compromise is significant.

Detailed information about CVE-2025-7409: SQL Injection in code-projects Mobile Shop affecting code-projects Mobile Shop. Get real-time updates, technical detai

CVE-2025-7409: SQL Injection in code-projects Mobile Shop - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7409: SQL Injection in code-projects Mobile Shop

loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.

Detailed information about CVE-2025-47813: CWE-209 Generation of Error Message Containing Sensitive Information in wftpserver Wing FTP Server affecting wftpserv