Is CVE-2026-44240 in the CISA KEV catalog?

No. CVE-2026-44240 is not currently on the CISA Known Exploited Vulnerabilities list.

What is the CVSS severity of CVE-2026-44240?

CVE-2026-44240 has a CVSS v3 base score of 7.5 (HIGH).

What is the EPSS score for CVE-2026-44240?

CVE-2026-44240 has an EPSS score of 0.46% (37th percentile), estimating the probability of exploitation in the next 30 days.

CVE & CISA-KEV Catalog

CVE-2026-44240

HIGH

7.5

CVSS v3

NVD

Description

basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size. As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. This vulnerability is fixed in 5.3.1.

CWE-400Resource Exhaustion CWE-770

CVSS v3 Vector

Exploitability

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

Impact

ConfidentialityNone

IntegrityNone

AvailabilityHigh

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploit Intelligence

0.46%probability of exploitation in 30 days

37thpercentile

Low risk: more likely to be exploited than 37% of all known CVEs.

References

https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rpmf-866q-6p89

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-05-14.