Control: tags -1 + confirmed On Sun, 2026-03-01 at 09:04 +0100, Yadd wrote: > node-proxy-agents enbeds basic-ftp which is vulnerable to CVE-2026- > 27699[0]: > > The `basic-ftp` FTP client library for Node.js contains a path > > traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the > > `downloadToDir()` method. A malicious FTP server can send directory > > listings with filenames containing path traversal sequences (`../`) > > that cause files to be written outside the intended download > > directory. Version 5.2.0 patches the issue.
Please go ahead. Regards, Adam
