# CVE-2025-27889

> Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.

- **CVSS:** 3.4 (LOW)
- **EPSS:** 0.1%
- **CWE:** CWE-15

Canonical: https://intel.threadlinqs.com/cve/CVE-2025-27889
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp