pureftpd CVE Vulnerabilities & Metrics

Focus on pureftpd vulnerabilities and metrics.

Last updated: 10 Sep 2025, 22:25 UTC

About pureftpd Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with pureftpd. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total pureftpd CVEs: 7
Earliest CVE date: 06 Aug 2004, 04:00 UTC
Latest CVE date: 24 Oct 2024, 21:15 UTC

Latest CVE reference: CVE-2024-48208

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical pureftpd CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.61

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	2
4.0-6.9	9
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS pureftpd CVEs

These are the five CVEs with the highest CVSS scores for pureftpd, sorted by severity first and recency.

CVE-2017-12170 pureftpd Published on 21 Sep 2017, 21:29 UTC (CVSS: 7.5)
Downstream version 1.0.46-1 of pure-ftpd as shipped in Fedora was vulnerable to packaging error due to which the original configuration was ignored after update and service started running with default configuration. This has security implications because of overriding security-related configuration. This issue doesn't affect upstream version of pure-ftpd.
CVE-2011-1575 pureftpd Published on 23 May 2011, 22:55 UTC (CVSS: 5.8)
The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
CVE-2021-40524 pureftpd Published on 05 Sep 2021, 19:15 UTC (CVSS: 5.0)
In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.)
CVE-2020-35359 pureftpd Published on 26 Dec 2020, 05:15 UTC (CVSS: 5.0)
Pure-FTPd 1.0.48 allows remote attackers to prevent legitimate server use by making enough connections to exceed the connection limit.
CVE-2020-9274 pureftpd Published on 26 Feb 2020, 16:15 UTC (CVSS: 5.0)
An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c.

All CVEs for pureftpd

CVE-2024-48208 pureftpd vulnerability CVSS: 0 24 Oct 2024, 21:15 UTC

pure-ftpd before 1.0.52 is vulnerable to Buffer Overflow. There is an out of bounds read in the domlsd() function of the ls.c file.

CVE-2021-40524 pureftpd vulnerability CVSS: 5.0 05 Sep 2021, 19:15 UTC

In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.)

CVE-2020-35359 pureftpd vulnerability CVSS: 5.0 26 Dec 2020, 05:15 UTC

Pure-FTPd 1.0.48 allows remote attackers to prevent legitimate server use by making enough connections to exceed the connection limit.

CVE-2020-9274 pureftpd vulnerability CVSS: 5.0 26 Feb 2020, 16:15 UTC

An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c.

CVE-2020-9365 pureftpd vulnerability CVSS: 5.0 24 Feb 2020, 16:15 UTC

An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read has been detected in the pure_strcmp function in utils.c.

CVE-2019-20176 pureftpd vulnerability CVSS: 5.0 31 Dec 2019, 15:15 UTC

In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the listdir function in ls.c.

CVE-2017-12170 pureftpd vulnerability CVSS: 7.5 21 Sep 2017, 21:29 UTC

Downstream version 1.0.46-1 of pure-ftpd as shipped in Fedora was vulnerable to packaging error due to which the original configuration was ignored after update and service started running with default configuration. This has security implications because of overriding security-related configuration. This issue doesn't affect upstream version of pure-ftpd.

CVE-2011-3171 pureftpd vulnerability CVSS: 3.6 04 Nov 2011, 21:55 UTC

Directory traversal vulnerability in pure-FTPd 1.0.22 and possibly other versions, when running on SUSE Linux Enterprise Server and possibly other operating systems, when the Netware OES remote server feature is enabled, allows local users to overwrite arbitrary files via unknown vectors.

CVE-2011-0418 pureftpd vulnerability CVSS: 4.0 24 May 2011, 23:55 UTC

The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command.

CVE-2011-1575 pureftpd vulnerability CVSS: 5.8 23 May 2011, 22:55 UTC

The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.

CVE-2011-0988 pureftpd vulnerability CVSS: 4.4 18 Apr 2011, 17:55 UTC

pure-ftpd 1.0.22, as used in SUSE Linux Enterprise Server 10 SP3 and SP4, and Enterprise Desktop 10 SP3 and SP4, when running OES Netware extensions, creates a world-writeable directory, which allows local users to overwrite arbitrary files and gain privileges via unspecified vectors.

CVE-2004-0656 pureftpd vulnerability CVSS: 5.0 06 Aug 2004, 04:00 UTC

The accept_client function in PureFTPd 1.0.18 and earlier allows remote attackers to cause a denial of service by exceeding the maximum number of connections.