QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-30915

Back to search

CVE-2026-30915

Published: Mar 13, 2026

Modified: Mar 13, 2026

PUBLISHED

Description

SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the placeholder is not strictly sanitized against relative path components. Consequently, if a user is created with a specially crafted username the resulting path may resolve to a parent directory instead of the intended sub-directory. This issue is fixed in version v2.7.1

VendorProductVersions

drakkan

sftpgo

affected
>= 2.3.0, < 2.7.1

Weaknesses (CWE)

CWE-22

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now