CVE-2026-29515

CRITICAL

MiCode FileExplorer - Unauthenticated Authentication Bypass in SwiFTP FTP Server

Title source: llm

Description

MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally grants access and allows listing, reading, writing, and deleting files exposed by the FTP server. The MiCode/Explorer open source project has reached end-of-life status.

References (2)

Core 2

Core References

Various Sources product

https://github.com/MiCode/FileExplorer

View Writeup ZIP pw:eip

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/micode-fileexplorer-swiftp-server-authentication-bypass

Scores

CVSS v3 9.8

EPSS 0.0048

EPSS Percentile 37.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-303 CWE-862

Status published

Products (2)

MiCode/FileExplorer

xiaomi/fileexplorer

Published Mar 11, 2026

Tracked Since Mar 11, 2026