SFTPGo CVE-2026-49245
LOWSeverity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
AC:H reflects combined social engineering and crafted-URL dependency; PR:L requires share file-upload access; HttpOnly cookies cap confidentiality to low; no availability impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Summary
The inline query parameter on the browsable-share file download and on the authenticated user file download suppressed Content-Disposition: attachment, so an HTML file stored in a share or home directory could be served as text/html and execute in SFTPGo's web origin (stored XSS).
Impact
Low. Exploitation requires the attacker to place the file and a victim to open the crafted link - a URL the WebClient never generates, so it requires social engineering - and the practical conditions are narrow:
- Session cookies are HttpOnly, so the cookie cannot be read by the injected script.
- Authenticated shares set their own session cookie, which overwrites the victim's WebClient cookie, no account pivot. The realistic case is a public share, or a folder shared between distinct users combined with targeted social engineering.
It is a genuine trust-boundary violation (SFTPGo emits attacker-controlled content as active HTML in its own origin), hence an advisory, but the constrained preconditions and the HttpOnly mitigation keep it Low.
Patches
Upgrade to v2.7.3. These endpoints now always respond with Content-Disposition: attachment; the inline parameter has been removed. See the fix commit for the full technical rationale.
AnalysisAI
Stored XSS in SFTPGo's WebClient allows an attacker who can place files in a share or home directory to serve an HTML payload as live text/html within SFTPGo's own web origin by exploiting the inline query parameter on file download endpoints, which suppressed the Content-Disposition: attachment header. Affected versions prior to v2.7.3 expose both the browsable-share and authenticated-user file download paths. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three conditions must be simultaneously satisfied: (1) the attacker must have sufficient access to upload or place an HTML file into a SFTPGo share or user home directory - requiring at minimum low-privilege contributor rights to a share, or control of a public share; (2) a victim must be socially engineered into clicking a manually crafted URL containing the inline query parameter, since no legitimate WebClient flow generates such URLs; and (3) the victim's browser must be authenticated to the WebClient or the targeted share must be public. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 3.7 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N) is internally consistent and accurately reflects the constrained exploitation posture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with contributor access to a SFTPGo share uploads a crafted HTML file containing malicious JavaScript. The attacker constructs a direct download URL appending the inline parameter - a URL the WebClient never generates - and delivers it to a target victim via phishing or chat. … |
| Remediation | Vendor-released patch: v2.7.3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-3vcg-pv95-pq54