{"id":"MGASA-2026-0107","summary":"Updated gvfs packages fix security vulnerabilities","details":"Gvfs: gvfs ftp backend: information disclosure via untrusted pasv\nresponses. (CVE-2026-28295)\nGvfs: ftp gvfs backend: arbitrary ftp command injection via crlf\nsequences in file paths. (CVE-2026-28296)\n","modified":"2026-04-22T22:15:06.773930Z","published":"2026-04-22T22:08:34Z","upstream":["CVE-2026-28295","CVE-2026-28296"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2026-0107.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=35171"},{"type":"WEB","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HQU2RBFHWZPMIUYTLU72VSQUTNQ2MUIK/"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8114-1"}],"affected":[{"package":{"name":"gvfs","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/gvfs?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.50.4-1.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2026-0107.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}