autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating "I'm assuming that they're using the same id and password on that unchanged hostname, deliberately."
Conclusion & alert: CVE-2008-4677 is rated Moderate Risk (45.4/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.95%). Core evidence: EPSS rose +1.02% over the last day, indicating growing attacker interest. Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.93% | 1.95% | +1.02% |
| 2 | 2026-04-23 | 0.75% | 0.93% | +0.18% |
| 3 | 2025-12-31 | — | 0.75% | — |
Full EPSS history (10 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.3 | 2.0 | MEDIUM |
|
8.6 | 2.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2008-4677 unimportant priority: Debian including 1 source packages (vim), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 5. | https://security-tracker.debian.org/tracker/CVE-2008-4677 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2008-4677 |
ubuntu
|
negligible | CVE-2008-4677 negligible priority: Ubuntu including 1 source packages (vim), 7 status rows across 7 suites (dapper, gutsy, hardy, intrepid, jaunty, karmic, upstream): ignored 7. | https://ubuntu.com/security/CVE-2008-4677 |
Not vulnerable. This issue did not affect the versions of vim as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| vim | netrw | 109 | cpe:2.3:a:vim:netrw:109:*:*:*:*:*:*:* |
| vim | netrw | 110 | cpe:2.3:a:vim:netrw:110:*:*:*:*:*:*:* |
| vim | netrw | 111 | cpe:2.3:a:vim:netrw:111:*:*:*:*:*:*:* |
| vim | netrw | 112 | cpe:2.3:a:vim:netrw:112:*:*:*:*:*:*:* |
| vim | netrw | 113 | cpe:2.3:a:vim:netrw:113:*:*:*:*:*:*:* |
| vim | netrw | 114 | cpe:2.3:a:vim:netrw:114:*:*:*:*:*:*:* |
| vim | netrw | 115 | cpe:2.3:a:vim:netrw:115:*:*:*:*:*:*:* |
| vim | netrw | 116 | cpe:2.3:a:vim:netrw:116:*:*:*:*:*:*:* |
| vim | netrw | 118 | cpe:2.3:a:vim:netrw:118:*:*:*:*:*:*:* |
| vim | netrw | 120 | cpe:2.3:a:vim:netrw:120:*:*:*:*:*:*:* |
| vim | netrw | 121 | cpe:2.3:a:vim:netrw:121:*:*:*:*:*:*:* |
| vim | netrw | 122 | cpe:2.3:a:vim:netrw:122:*:*:*:*:*:*:* |
| vim | netrw | 123 | cpe:2.3:a:vim:netrw:123:*:*:*:*:*:*:* |
| vim | netrw | 128 | cpe:2.3:a:vim:netrw:128:*:*:*:*:*:*:* |
| vim | netrw | 131 | cpe:2.3:a:vim:netrw:131:*:*:*:*:*:*:* |