Path Traversal in Drakkan Sftpgo

CVE-2026-30914

SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypas…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (7.8th percentile) — read the EPSS interpretation.

Affected products

Drakkan Sftpgo — versions < 2.7.1

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/drakkan/sftpgo/security/advisories/GHSA-x8qh-7475-c5mp (x_refsource_CONFIRM)