PT-2026-25354 · Sftpgo · Sftpgo

Mcantrell

·

Publicado

2026-03-13

·

Atualizado

2026-03-25

·

CVE-2026-30914

CVSS v3.1

8.1

Alta

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions SFTPGo versions prior to 2.7.1
Description SFTPGo is an open-source, event-driven file transfer solution. A path normalization discrepancy exists between the protocol handlers and the internal Virtual Filesystem routing in versions prior to 2.7.1. This discrepancy can lead to an authorization bypass. An authenticated attacker can create specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder.
Recommendations Update to SFTPGo version 2.7.1 or later.

Exploit

Correção

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-22

Identificadores relacionados

CVE-2026-30914
GHSA-X8QH-7475-C5MP
GO-2026-4699
SUSE-SU-2026:1042-1

Produtos afetados

Sftpgo