PatchSiren

Monsta Limited of New Zealand CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Monsta Limited of New Zealand CVE published 2026-07-08

CVE-2026-60105

CVE-2026-60105 is a server-side request forgery vulnerability in Monsta FTP before 2.14.5. The vulnerability is caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source [truncated]