Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials.
History

Tue, 14 Jul 2026 22:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:monstaftp:monsta_ftp:*:*:*:*:*:*:*:*

Tue, 14 Jul 2026 16:15:00 +0000

Type Values Removed Values Added
References

Fri, 10 Jul 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Monstaftp
Monstaftp monsta Ftp
Vendors & Products Monstaftp
Monstaftp monsta Ftp

Thu, 09 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials.
Title Monsta FTP < 2.14.5 SSRF via IPv4-Mapped IPv6 Address Bypass
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-07-08T21:02:37.204Z

Updated: 2026-07-14T22:03:32.053Z

Reserved: 2026-07-08T13:27:53.030Z

Link: CVE-2026-60105

cve-icon Vulnrichment

Updated: 2026-07-09T13:43:55.980Z

cve-icon NVD

No data.

cve-icon Redhat

No data.