CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-h64p-8h4r-6gfh: SFTPGo has path confinement bypass in public browsable share partial ZIP download

mediumCVSS 5.9CVE-2026-49244
Summary The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as the target's canonical path begins with the shared directory's name. Patches Fixed in v2.7.3. The fix replaces the raw prefix check with a directory-boundary–aware check.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 5.9
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-h64p-8h4r-6gfh

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-49244coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories