CVE-2026-28296 — CRLF Injection in Gvfs

CWE-93 — CRLF Injection8 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 79.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Gvfs Debian Gvfs

Timeline

PublishedFeb 26

Latest updateMar 23

Description

A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/gvfs< gvfs 1.46.2-2+deb11u1 (bullseye)

▶Debiangnome/gvfs< 1.46.2-2+deb11u1+1

▶Ubuntugnome/gvfs< 1.48.2-0ubuntu1.1+2

🔴Vulnerability Details

OSV

gvfs vulnerabilities↗2026-03-23

▶

GHSA

GHSA-r8j5-pj3m-qhpv: A flaw was found in the FTP GVfs backend↗2026-02-26

▶

OSV

CVE-2026-28296: A flaw was found in the FTP GVfs backend↗2026-02-26

▶

📋Vendor Advisories

Ubuntu

GVfs vulnerabilities↗2026-03-23

▶

Red Hat

gvfs: FTP GVfs backend: Arbitrary FTP command injection via CRLF sequences in file paths↗2026-02-26

▶

Debian

CVE-2026-28296: gvfs - A flaw was found in the FTP GVfs backend. A remote attacker could exploit this i...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28296 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶