Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

accellion

Source -

NVD

BOS Name -

Accellion (Kiteworks USA, LLC)

CNA CVEs -

0

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

65
Related CVEsRelated ProductsRelated AssignersReports
65Vulnerabilities found

CVE-2017-8793
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.51% / 40.00%
||
7 Day CHG~0.00%
Published-05 May, 2017 | 18:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the attacker to have site access with a bypass of the Same Origin Policy.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-file_transfer_appliancen/a
CWE ID-CWE-346
Origin Validation Error
CVE-2016-5662
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-7.8||HIGH
EPSS-0.38% / 30.26%
||
7 Day CHG~0.00%
Published-26 Aug, 2016 | 19:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Accellion Kiteworks appliances before kw2016.03.00 use setuid-root permissions for /opt/bin/cli, which allows local users to gain privileges via unspecified vectors.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-kiteworks_appliancen/a
CVE-2016-5663
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-6.1||MEDIUM
EPSS-0.90% / 55.16%
||
7 Day CHG~0.00%
Published-26 Aug, 2016 | 19:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in oauth_callback.php on Accellion Kiteworks appliances before kw2016.03.00 allow remote attackers to inject arbitrary web script or HTML via the (1) code, (2) error, or (3) error_description parameter.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-kiteworks_appliancen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-5664
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-4.3||MEDIUM
EPSS-2.39% / 81.92%
||
7 Day CHG~0.00%
Published-26 Aug, 2016 | 19:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability on Accellion Kiteworks appliances before kw2016.03.00 allows remote attackers to read files via a crafted URI.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-kiteworks_appliancen/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2016-2350
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-6.1||MEDIUM
EPSS-0.94% / 56.52%
||
7 Day CHG~0.00%
Published-07 May, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) getimageajax.php, (2) move_partition_frame.html, or (3) wmInfo.html.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-file_transfer_appliancen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-2352
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-8.8||HIGH
EPSS-5.38% / 91.68%
||
7 Day CHG~0.00%
Published-07 May, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote authenticated users to execute arbitrary commands by leveraging the YUM_CLIENT restricted-user role.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-file_transfer_appliancen/a
CVE-2016-2353
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-7.8||HIGH
EPSS-0.47% / 37.55%
||
7 Day CHG~0.00%
Published-07 May, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows local users to add an SSH key to an arbitrary group, and consequently gain privileges, via unspecified vectors.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-file_transfer_appliancen/a
CVE-2016-2351
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.58% / 72.51%
||
7 Day CHG~0.00%
Published-07 May, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in home/seos/courier/security_key2.api on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote attackers to execute arbitrary SQL commands via the client_id parameter.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-file_transfer_appliancen/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2009-4645
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-2.76% / 84.45%
||
7 Day CHG~0.00%
Published-19 Feb, 2010 | 17:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in web_client_user_guide.html in Accellion Secure File Transfer Appliance before 8_0_105 allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-secure_file_transfer_appliancen/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2009-4648
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-0.82% / 52.80%
||
7 Day CHG~0.00%
Published-19 Feb, 2010 | 17:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Accellion Secure File Transfer Appliance before 8_0_105 does not properly restrict access to sensitive commands and arguments that run with extra sudo privileges, which allows local administrators to gain privileges via (1) arbitrary arguments in the --file_move action in /usr/local/bin/admin.pl, or a hard link attack in (2) chmod or (3) a certain cp command.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-secure_file_transfer_appliancen/a
CVE-2009-4647
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.07% / 60.84%
||
7 Day CHG~0.00%
Published-19 Feb, 2010 | 17:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Accellion Secure File Transfer Appliance before 7_0_296 allows remote attackers to inject arbitrary web script or HTML via the username parameter, which is not properly handled when the administrator views audit logs.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-secure_file_transfer_appliancen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-4646
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-9||HIGH
EPSS-1.72% / 74.66%
||
7 Day CHG~0.00%
Published-19 Feb, 2010 | 17:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Static code injection vulnerability in the administrative web interface in Accellion Secure File Transfer Appliance allows remote authenticated administrators to inject arbitrary shell commands by appending them to a request to update the SNMP public community string.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-secure_file_transfer_appliancen/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2009-4644
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-9||HIGH
EPSS-2.41% / 82.11%
||
7 Day CHG~0.00%
Published-19 Feb, 2010 | 17:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Accellion Secure File Transfer Appliance before 8_0_105 allows remote authenticated administrators to bypass the restricted shell and execute arbitrary commands via shell metacharacters to the ping command, as demonstrated by modifying the cli program.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-secure_file_transfer_appliancen/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2008-7012
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-6.67% / 93.08%
||
7 Day CHG~0.00%
Published-19 Aug, 2009 | 10:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

courier/1000@/api_error_email.html (aka "error reporting page") in Accellion File Transfer Appliance FTA_7_0_178, and possibly other versions before FTA_7_0_189, allows remote attackers to send spam e-mail via modified description and client_email parameters.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-secure_file_transfer_appliancen/a
CVE-2008-3850
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.46% / 70.42%
||
7 Day CHG~0.00%
Published-27 Aug, 2008 | 23:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Accellion File Transfer FTA_7_0_135 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to courier/forgot_password.html.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-secure_file_transfer_appliancen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • Next