Thanks for testing this! Yes, you can publish it.

Great! Now the bug it was fixed.

I would like to know if now I can publish this bug as CVE.

This bug has been added to the tracker:
https://winscp.net/tracker/1924

I'm sending you an email with a development version of WinSCP to the address you have used to register on this forum.

OK, I'll be waiting for publication of the vulnerability with the intention of CVE.
Thank you.

Thanks. I'm able to reproduce the problem on Windows 7. I'll look at it and I'll come back to you.

I was able to crash with the debug version too. Anyway, I'm attaching the log that I got after the crash. Note that if you execute in Windows 10, won't crash. Hope that helps you.

For the crash you need execute in Windows 7.

Thanks for your report. Though I cannot reproduce the problem. I get the listing in GUI without a crash.
I have sent you an email with a debug version of WinSCP to the address you have used to register on this forum.

Simulating a malicious server, it was possible to crash the application after preparing a response to the listing of modified content for a large number of characters.

I used a Kali machine to execute a poc and simulate a server.

Version of WinSCP: 5.17.8
Version of OS: Windows 7 SP1 x64