Skip to main content

Canonical CVE-2026-30914

| EUVD-2026-12072 HIGH
Path Traversal (CWE-22)
2026-03-13 https://github.com/drakkan/sftpgo GHSA-x8qh-7475-c5mp
Path Traversal Canonical Suse
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Mar 18, 2026 - 20:19 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 19:00 euvd
EUVD-2026-12072
Analysis Generated
Mar 13, 2026 - 19:00 vuln.today
CVE Published
Mar 13, 2026 - 18:55 nvd
HIGH 8.1

DescriptionNVD

Impact

In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder.

Patches

This issue has been addressed in SFTPGo version 2.7.1. The fix introduces strict edge-level path normalization, ensuring that all protocol inputs are fully sanitized and resolved to canonical POSIX paths before any routing or permission evaluations occur.

AnalysisAI

SFTPGo versions prior to 2.7.1 contain a path normalization vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) that allows authenticated attackers to bypass folder-level permissions and escape Virtual Folder boundaries through crafted file paths. An attacker with valid credentials can exploit this authorization bypass to access files and directories beyond their intended scope. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 7 days: Identify all affected systems running SFTPGo and apply vendor patches promptly. Review file handling controls and restrict upload directories.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-49238 HIGH
8.4 May 28

Virtual machine escape in Canonical Multipass before 1.16.3 allows a root user inside a guest VM to read arbitrary files
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
CVE-2026-49237 HIGH
7.8 May 28

Local privilege escalation in Canonical Multipass for macOS before 1.16.3 allows a low-privileged local user to obtain r
CVE-2026-42790 HIGH
7.6 May 27

TLS server impersonation in Erlang/OTP's public_key library lets a name-constrained subordinate CA forge a trusted ident
CVE-2026-42462 HIGH
7.0 May 26

Here is the multi-source synthesis for CVE-2026-42462: ```json { "product_name": "Fedify", "summary": "Linked Data

Vendor StatusVendor

Share

CVE-2026-30914 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy