157 matches found
PT-2026-55447
Name of the Vulnerable Software and Affected Versions SFTPGo versions prior to 2.7.3 Description A stored Cross-Site Scripting XSS issue exists where the inline query parameter on the browsable-share file download and authenticated user file download endpoints suppresses the Content-Disposition:...
CVE-2026-41889 vulnerabilities
Vulnerabilities for packages: cerbos, sftpgo-plugin-eventsearch, kots, gitlab-kas-fips, temporal-server, bento-fips, envoy-gateway-fips, kubeflow-pipelines, hydra-fips, pgtimetable, commercial-chainloop-backend, steampipe, gitlab-cng-fips, commercial-grafana, step-fips, rke2-cloud-provider-fips,...
CVE-2026-32952 vulnerabilities
Vulnerabilities for packages: gitea, teleport, trufflehog, harbor, kyverno-notation-aws, dex, zot, flux-source-controller, cert-manager-csi-driver, nuclei, rancher-webhook, cert-manager-cmctl, cert-manager-istio-csr, frp, bento, seaweedfs, spqr, juicefs, grafana, opentofu, xeol, gitlab-runner,...
GHSA-PJCQ-XVWQ-HHPJ vulnerabilities
Vulnerabilities for packages: gitea, teleport, trufflehog, harbor, kyverno-notation-aws, dex, zot, flux-source-controller, cert-manager-csi-driver, nuclei, rancher-webhook, cert-manager-cmctl, cert-manager-istio-csr, frp, bento, seaweedfs, spqr, juicefs, grafana, opentofu, xeol, gitlab-runner,...
GHSA-J88V-2CHJ-QFWX vulnerabilities
Vulnerabilities for packages: cerbos, sftpgo-plugin-eventsearch, kots, gitlab-kas-fips, temporal-server, bento-fips, envoy-gateway-fips, kubeflow-pipelines, hydra-fips, pgtimetable, commercial-chainloop-backend, steampipe, gitlab-cng-fips, commercial-grafana, step-fips, rke2-cloud-provider-fips,...
GHSA-FV83-X2XW-2J55 vulnerabilities
Vulnerabilities for packages: dkron, supercronic, omnibump, flux-image-automation-controller, mariadb-operator, flux-helm-controller, fluxcd-kustomize-mutating-webhook, dataplaneapi, aws-load-balancer-controller, flux-operator, nodetaint, metacontroller, dbmate, envoy-ratelimit, go,...
GHSA-7MR4-XJXG-34G6 vulnerabilities
Vulnerabilities for packages: atlantis, flux-image-automation-controller, external-dns, helm-mapkubeapis, litestream, kubernetes-csi-node-driver-registrar, cortex, docker-machine-driver-linode, dbmate, witness, chartmuseum, vault-env, mc, kine, zot, flux-source-controller, cert-manager-csi-driver...
CVE-2026-34986 vulnerabilities
Vulnerabilities for packages: kaniko, rekor, gitlab-kas-fips, percona-server-mongodb-operator, tkn, envoy-gateway-fips, kubeflow-pipelines, oauth2-proxy, commercial-chainloop-cli, packer-fips, spire-controller-manager, commercial-grafana, gcsfuse, crossplane, seaweedfs-operator-fips,...
CVE-2026-30915
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using...
SUSE CVE-2026-30914
SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths...
SUSE CVE-2026-30915
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using...
GO-2026-4699 SFTPGo Vulnerable to Path Traversal and Permission Bypass via Path Normalization Discrepancy in github.com/drakkan/sftpgo
SFTPGo Vulnerable to Path Traversal and Permission Bypass via Path Normalization Discrepancy in github.com/drakkan/sftpgo...
GO-2026-4697 SFTPGo improperly sanitizes placeholders in group home directories/key prefixes in github.com/drakkan/sftpgo
SFTPGo improperly sanitizes placeholders in group home directories/key prefixes in github.com/drakkan/sftpgo...
CVE-2026-30914
SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths...
CVE-2026-30915
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using...
CVE-2026-30915 SFTPGo improperly sanitizes placeholders in group home directories/key prefixes
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using...
CVE-2026-30915
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using...
CVE-2026-30915 SFTPGo improperly sanitizes placeholders in group home directories/key prefixes
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using...
CVE-2026-30915 SFTPGo improperly sanitizes placeholders in group home directories/key prefixes
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using...
CVE-2026-30915
SFTPGo (open source file transfer app) before v2.7.1 is affected by an input validation issue in dynamic group paths, where placeholders like %username% are not strictly sanitized against relative path components. This can allow a crafted username to cause the substituted path for a group’s home ...