CVE-2026-28295 — Server-Side Request Forgery in Gvfs

CWE-918 — Server-Side Request Forgery8 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 90.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Gvfs Debian Gvfs

Timeline

PublishedFeb 26

Latest updateMar 23

Description

A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/gvfs< gvfs 1.46.2-2+deb11u1 (bullseye)

▶Debiangnome/gvfs< 1.46.2-2+deb11u1+1

▶Ubuntugnome/gvfs< 1.48.2-0ubuntu1.1+2

🔴Vulnerability Details

OSV

gvfs vulnerabilities↗2026-03-23

▶

OSV

CVE-2026-28295: A flaw was found in the FTP GVfs backend↗2026-02-26

▶

GHSA

GHSA-pp79-4qx3-mf4h: A flaw was found in the FTP GVfs backend↗2026-02-26

▶

📋Vendor Advisories

Ubuntu

GVfs vulnerabilities↗2026-03-23

▶

Red Hat

gvfs: GVfs FTP backend: Information disclosure via untrusted PASV responses↗2026-02-26

▶

Debian

CVE-2026-28295: gvfs - A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit thi...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28295 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶