lftp 4.9.3 does not filter non-printable characters in terminal output when displaying filenames. This allows untrusted filenames (e.g., containing escape sequences) to inject terminal control codes, potentially causing display corruption or security issues in vulnerable terminal configurations.
| Vendor | Product | Versions |
|---|---|---|
| — | lftp | 4.9.3 |
