cerberusftp CVE Vulnerabilities & Metrics

Focus on cerberusftp vulnerabilities and metrics.

Last updated: 12 May 2026, 22:25 UTC

About cerberusftp Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with cerberusftp. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total cerberusftp CVEs: 6
Earliest CVE date: 02 Jul 2010, 20:30 UTC
Latest CVE date: 27 Apr 2026, 14:16 UTC

Latest CVE reference: CVE-2026-6265

Rolling Stats

30-day Count (Rolling): 1
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical cerberusftp CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.47

Max CVSS: 6.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	1
4.0-6.9	9
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS cerberusftp CVEs

These are the five CVEs with the highest CVSS scores for cerberusftp, sorted by severity first and recency.

CVE-2012-2999 cerberusftp Published on 04 Oct 2012, 19:55 UTC (CVSS: 6.8)
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in Cerberus FTP Server before 5.0.5.0 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user account or (2) reconfigure the state of the FTP service, as demonstrated by a request to usermanager/users/modify.
CVE-2020-5196 cerberusftp Published on 14 Jan 2020, 14:15 UTC (CVSS: 5.5)
Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list directories, and list files without the permission to zip and download (or unzip and upload) files. There are multiple ways to bypass certain permissions by utilizing the zip and unzip features. As a result, users without permission can see fil...
CVE-2020-5194 cerberusftp Published on 14 Jan 2020, 14:15 UTC (CVSS: 5.5)
The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.
CVE-2017-6367 cerberusftp Published on 14 Mar 2017, 09:59 UTC (CVSS: 5.0)
In Cerberus FTP Server 8.0.10.1, a crafted HTTP request causes the Windows service to crash. The attack methodology involves a long Host header and an invalid Content-Length header.
CVE-2012-5301 cerberusftp Published on 04 Oct 2012, 19:55 UTC (CVSS: 5.0)
The default configuration of Cerberus FTP Server before 5.0.4.0 supports the DES cipher for SSH sessions, which makes it easier for remote attackers to obtain sensitive information by sniffing the network and performing a brute-force attack on the encrypted data.

All CVEs for cerberusftp

CVE-2026-6265 cerberusftp vulnerability CVSS: 0 27 Apr 2026, 14:16 UTC

Insecure preserved inherited permissions vulnerability in Cerberus FTP Server on Windows allows Privilege Escalation.This issue has been resolved in Cerberus FTP Server: 2026.1

CVE-2019-25046 cerberusftp vulnerability CVSS: 4.3 10 Jun 2021, 12:15 UTC

The Web Client in Cerberus FTP Server Enterprise before 10.0.19 and 11.x before 11.0.4 allows XSS via an SVG document.

CVE-2020-5196 cerberusftp vulnerability CVSS: 5.5 14 Jan 2020, 14:15 UTC

Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list directories, and list files without the permission to zip and download (or unzip and upload) files. There are multiple ways to bypass certain permissions by utilizing the zip and unzip features. As a result, users without permission can see files, folders, and hidden files, and can create directories without permission.

CVE-2020-5194 cerberusftp vulnerability CVSS: 5.5 14 Jan 2020, 14:15 UTC

The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.

CVE-2020-5195 cerberusftp vulnerability CVSS: 4.3 13 Jan 2020, 18:15 UTC

Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folder_up.png IMG element not properly sanitizing user-inserted directory paths. The path modification must be done on a publicly shared folder for a remote attacker to insert arbitrary JavaScript or HTML. The vulnerability impacts anyone who clicks the malicious link crafted by the attacker.

CVE-2017-6367 cerberusftp vulnerability CVSS: 5.0 14 Mar 2017, 09:59 UTC

In Cerberus FTP Server 8.0.10.1, a crafted HTTP request causes the Windows service to crash. The attack methodology involves a long Host header and an invalid Content-Length header.

CVE-2012-6339 cerberusftp vulnerability CVSS: 4.3 31 Dec 2012, 11:50 UTC

Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface in Cerberus FTP Server before 5.0.6.0 allow (1) remote attackers to inject arbitrary web script or HTML via a log entry that is not properly handled within the Log Manager component, and might allow (2) remote authenticated administrators to inject arbitrary web script or HTML via a Messages field to the servermanager program.

CVE-2012-5301 cerberusftp vulnerability CVSS: 5.0 04 Oct 2012, 19:55 UTC

The default configuration of Cerberus FTP Server before 5.0.4.0 supports the DES cipher for SSH sessions, which makes it easier for remote attackers to obtain sensitive information by sniffing the network and performing a brute-force attack on the encrypted data.

CVE-2012-2999 cerberusftp vulnerability CVSS: 6.8 04 Oct 2012, 19:55 UTC

Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in Cerberus FTP Server before 5.0.5.0 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user account or (2) reconfigure the state of the FTP service, as demonstrated by a request to usermanager/users/modify.

CVE-2004-2769 cerberusftp vulnerability CVSS: 4.0 02 Jul 2010, 20:30 UTC

Cerberus FTP Server before 4.0.3.0 allows remote authenticated users to list hidden files, even when the "Display hidden files" option is enabled, via the (1) MLSD or (2) MLST commands.