CVE-2026-29515
Analyzed
Analyzed - Analysis Complete
Authentication Bypass in MiCode FileExplorer SwiFTP Enables Unauthorized FTP Access
Vulnerability report for CVE-2026-29515, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-03-11
Last updated on: 2026-05-07
Assigner: VulnCheck
Description
Description
MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally grants access and allows listing, reading, writing, and deleting files exposed by the FTP server. The MiCode/Explorer open source project has reached end-of-life status.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xiaomi | fileexplorer | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-303 | The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |