CVE-2026-30915
SFTPGo improperly sanitizes placeholders in group home directories/key prefixes
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the placeholder is not strictly sanitized against relative path components. Consequently, if a user is created with a specially crafted username the resulting path may resolve to a parent directory instead of the intended sub-directory. This issue is fixed in version v2.7.1
| CWE | CWE-22 |
| Vendor | drakkan |
| Product | sftpgo |
| Published | Mar 13, 2026 |
| Last Updated | Mar 13, 2026 |
Get instant alerts for drakkan sftpgo
Be the first to know when new unknown vulnerabilities affecting drakkan sftpgo are published โ delivered to Slack, Telegram or Discord.