CVE-2026-30915

MEDIUM

SFTPGo 2.3.0-2.7.0 - Path Traversal via Dynamic Group Path Placeholder

Title source: llm

Description

SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the placeholder is not strictly sanitized against relative path components. Consequently, if a user is created with a specially crafted username the resulting path may resolve to a parent directory instead of the intended sub-directory. This issue is fixed in version v2.7.1

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/drakkan/sftpgo/security/advisories/GHSA-m83q-5wr4-4gfp

Scores

CVSS v3 4.3

EPSS 0.0031

EPSS Percentile 22.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (3)

drakkan/sftpgo 2.3.0 - 2.7.1Go

drakkan/sftpgo >= 2.3.0, < 2.7.1

sftpgo_project/sftpgo 2.3.0 - 2.7.1

Published Mar 13, 2026

Tracked Since Mar 14, 2026