Product
An unauthenticated attacker can exploit CVE-2026-60105, a Server-Side Request Forgery vulnerability in Monsta FTP before 2.14.5, by leveraging an incomplete IP blocklist check with IPv4-mapped IPv6 addresses to force the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, potentially enabling retrieval of cloud instance metadata credentials.