HIGH
Monsta Limited of New Zealand
CVE published 2026-07-08
CVE-2026-60105
CVE-2026-60105 is a server-side request forgery vulnerability in Monsta FTP before 2.14.5. The vulnerability is caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source [truncated]