vulnerability

WinSCP: CVE-2021-3331: Vulnerability in WinSCP

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Jan 27, 2021	Sep 11, 2025	Sep 11, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Jan 27, 2021

Added

Sep 11, 2025

Modified

Sep 11, 2025

Description

WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)

Solution

winscp-winscp-upgrade-latest

References

CVE-2021-3331
https://attackerkb.com/topics/CVE-2021-3331
URL-https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d
URL-https://winscp.net/eng/docs/history#5.17.10
URL-https://winscp.net/eng/docs/rawsettings
URL-https://winscp.net/tracker/1943

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today