PT-2026-55446 · Go · Github.Com/Drakkan/Sftpgo/V2
Publicado
2026-07-02
·
Atualizado
2026-07-02
·
CVE-2026-49244
CVSS v3.1
5.9
Média
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Summary
The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as the target's canonical path begins with the shared directory's name.
Patches
Fixed in v2.7.3. The fix replaces the raw prefix check with a directory-boundary–aware check.
Correção
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Github.Com/Drakkan/Sftpgo/V2