Mcantrell

**Name of the Vulnerable Software and Affected Versions** SFTPGo versions prior to 2.7.1 **Description** SFTPGo is an open-source, event-driven file transfer solution. A path normalization discrepancy exists between the protocol handlers and the internal Virtual Filesystem routing in versions prior to 2.7.1. This discrepancy can lead to an authorization bypass. An authenticated attacker can create specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. **Recommendations** Update to SFTPGo version 2.7.1 or later.