Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.
CVE ID: CVE-2025-27889
CVSS Base Severity: LOW
CVSS Base Score: 3.4
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
Vendor: wftpserver
Product: Wing FTP Server