{
  "threat_severity" : "Important",
  "public_date" : "2026-04-09T17:05:46Z",
  "bugzilla" : {
    "description" : "basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters",
    "id" : "2456971",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2456971"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-93",
  "details" : [ "A flaw was found in basic-ftp, an FTP client for Node.js. A remote attacker can exploit this vulnerability by injecting Carriage Return Line Feed (CRLF) sequences into file path parameters used by high-level APIs. This allows the attacker to split a single intended FTP command into multiple commands. Such command injection can lead to the execution of arbitrary commands, potentially compromising the integrity and availability of data or the system." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Developer Hub 1.8",
    "release_date" : "2026-04-22T00:00:00Z",
    "advisory" : "RHSA-2026:9742",
    "cpe" : "cpe:/a:redhat:rhdh:1.8::el9",
    "package" : "rhdh/rhdh-hub-rhel9:1776784286"
  }, {
    "product_name" : "Red Hat Developer Hub 1.9",
    "release_date" : "2026-05-05T00:00:00Z",
    "advisory" : "RHSA-2026:13826",
    "cpe" : "cpe:/a:redhat:rhdh:1.9::el9",
    "package" : "rhdh/rhdh-hub-rhel9:1777903262"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/art-images",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Self-service automation portal 2",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/ansible-plugins",
    "cpe" : "cpe:/a:redhat:ansible_portal:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-39983\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39983\nhttps://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b\nhttps://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1\nhttps://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q" ],
  "name" : "CVE-2026-39983",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}