Is CVE-2007-4909 actively exploited?

CVE-2007-4909 has no public evidence of in-the-wild exploitation as of 2026-04-23.

What is the CVSS score for CVE-2007-4909?

CVE-2007-4909 has a CVSS score of 9.3 (UNKNOWN severity). Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C.

How do I patch CVE-2007-4909?

Patch guidance is available from winscp security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2007-4909.

CVE-2007-4909 - remediation guidance & executive summary

Q: Which products are affected by CVE-2007-4909?

12 products: winscp winscp, winscp winscp, winscp winscp, winscp winscp, winscp winscp, and 7 more.

Description

Interpretation conflict in WinSCP before 4.0.4 allows remote attackers to perform arbitrary file transfers with a remote server via file-transfer commands in the final portion of a (1) scp, and possibly a (2) sftp or (3) ftp, URL, as demonstrated by a URL specifying login to the remote server with a username of scp, which is interpreted as an HTTP scheme name by the protocol handler in a web browser, but is interpreted as a username by WinSCP. NOTE: this is related to an incomplete fix for CVE-2006-3015.

CVSS Metrics

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Access Vector: network
Access Cmplx: medium
Auth: none
Confidentiality: complete
Integrity: complete
Availability: complete
Weaknesses: CWE-264

Metadata

Primary Vendor: WINSCP
Published: 9/17/2007
Last Modified: 4/23/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

winscp : winscpwinscp : winscpwinscp : winscpwinscp : winscpwinscp : winscpwinscp : winscpwinscp : winscpwinscp : winscpwinscp : winscpwinscp : winscpwinscp : winscpwinscp : winscp

Remediation Guidance

Executive Summary

Cite this page

CVE-2007-4909. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2007-4909

View on NIST NVD

CVE-2007-4909 vulnerability