PT-2026-55446 · Go · Github.Com/Drakkan/Sftpgo/V2

Published

2026-07-02

·

Updated

2026-07-02

·

CVE-2026-49244

CVSS v3.1

5.9

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as the target's canonical path begins with the shared directory's name.

Patches

Fixed in v2.7.3. The fix replaces the raw prefix check with a directory-boundary–aware check.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49244
GHSA-H64P-8H4R-6GFH

Affected Products

Github.Com/Drakkan/Sftpgo/V2