CVE-2023-53886

HIGH

Xlight FTP Server 3.9.3.6 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53886. PoCs published by Yehia Elghaly.

AI-analyzed exploit summary This exploit demonstrates a stack buffer overflow in Xlight FTP Server 3.9.3.6 by writing a large string of 'A' characters to a file, which can be used to crash the application when pasted into the 'Execute a Program after user logged in' field.

Description

Xlight FTP Server 3.9.3.6 contains a stack buffer overflow vulnerability in the 'Execute Program' configuration that allows attackers to crash the application. Attackers can trigger the vulnerability by inserting 294 characters into the program execution configuration, causing a denial of service condition.

Exploits (1)

exploitdb WORKING POC
by Yehia Elghaly · pythondoswindows
https://www.exploit-db.com/exploits/51665

This exploit demonstrates a stack buffer overflow in Xlight FTP Server 3.9.3.6 by writing a large string of 'A' characters to a file, which can be used to crash the application when pasted into the 'Execute a Program after user logged in' field.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Xlight FTP Server 3.9.3.6
No auth needed
Prerequisites: Xlight FTP Server 3.9.3.6 installed · Access to the server's configuration interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/51665
Vendor Advisory product
https://www.xlightftpd.com/

Scores

CVSS v3 7.5
EPSS 0.0037
EPSS Percentile 28.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-121 CWE-787
Status published
Products (2)
Xlightftpd/Xlight FTP Server 3.9.3.6
xlightftpd/xlight_ftp_server 3.9.3.6
Published Dec 15, 2025
Tracked Since Feb 18, 2026