Path Traversal in Drakkan Sftpgo

CVE-2026-30915

SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configure…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (6.7th percentile) — read the EPSS interpretation.

Affected products

Drakkan Sftpgo — versions >= 2.3.0, < 2.7.1

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/drakkan/sftpgo/security/advisories/GHSA-m83q-5wr4-4gfp (x_refsource_CONFIRM)