Vulnerability CVE-2026-28296: Information

Description

A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.

Severity: MEDIUM (4.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
URL: https://nvd.nist.gov/vuln/detail/CVE-2026-28296
Published: Feb. 26, 2026
Modified: Feb. 27, 2026
Error type identifier: CWE-93

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
gvfssisyphus1.58.2-alt11.58.2-alt1ALT-PU-2026-3836-1409621Fixed
gvfssisyphus_riscv641.58.2-alt11.58.2-alt1ALT-PU-2026-3892-1-Fixed
gvfssisyphus_loongarch641.58.2-alt11.58.2-alt1ALT-PU-2026-3897-1-Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://access.redhat.com/security/cve/CVE-2026-28296
    https://bugzilla.redhat.com/show_bug.cgi?id=2443003
      VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
      Version: v26.2.2
      Back to top