CVE-2026-30915

Name of the Vulnerable Software and Affected Versions SFTPGo versions prior to 2.7.1

Description SFTPGo is an open source, event-driven file transfer solution. Versions of SFTPGo before 2.7.1 contain an input validation issue when handling dynamic group paths, such as home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the placeholder is not adequately sanitized against relative path components. This allows a specially crafted username to cause the resulting path to resolve to a parent directory instead of the intended sub-directory. The vulnerable component is the handling of dynamic group paths. The vulnerable parameter is the username used in the placeholder.

Recommendations Update to version 2.7.1 or later.