| Package | gvfs |
|---|---|
| Version | 1.38.1-5+deb10u1 (buster) |
| Related CVEs | CVE-2026-28295 CVE-2026-28296 |
Codean Labs found that gvfs, a virtual filesystem implementation, was affected by multiple vulnerabililies including FTP bounce attack which could lead to probing open ports on client network and improper CRLF validation which could allow an attacker to inject arbitrary FTP commands.
For Debian 10 buster, these problems have been fixed in version 1.38.1-5+deb10u1.
We recommend that you upgrade your gvfs packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.