Skip to main content

SFTPGo CVE-2026-49245

LOW
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 https://github.com/drakkan/sftpgo GHSA-3vcg-pv95-pq54
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
vuln.today AI
3.7 LOW

AC:H reflects combined social engineering and crafted-URL dependency; PR:L requires share file-upload access; HttpOnly cookies cap confidentiality to low; no availability impact.

3.1 AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 19:32 vuln.today

DescriptionGitHub Advisory

Summary

The inline query parameter on the browsable-share file download and on the authenticated user file download suppressed Content-Disposition: attachment, so an HTML file stored in a share or home directory could be served as text/html and execute in SFTPGo's web origin (stored XSS).

Impact

Low. Exploitation requires the attacker to place the file and a victim to open the crafted link - a URL the WebClient never generates, so it requires social engineering - and the practical conditions are narrow:

  • Session cookies are HttpOnly, so the cookie cannot be read by the injected script.
  • Authenticated shares set their own session cookie, which overwrites the victim's WebClient cookie, no account pivot. The realistic case is a public share, or a folder shared between distinct users combined with targeted social engineering.

It is a genuine trust-boundary violation (SFTPGo emits attacker-controlled content as active HTML in its own origin), hence an advisory, but the constrained preconditions and the HttpOnly mitigation keep it Low.

Patches

Upgrade to v2.7.3. These endpoints now always respond with Content-Disposition: attachment; the inline parameter has been removed. See the fix commit for the full technical rationale.

AnalysisAI

Stored XSS in SFTPGo's WebClient allows an attacker who can place files in a share or home directory to serve an HTML payload as live text/html within SFTPGo's own web origin by exploiting the inline query parameter on file download endpoints, which suppressed the Content-Disposition: attachment header. Affected versions prior to v2.7.3 expose both the browsable-share and authenticated-user file download paths. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain file-upload access to a SFTPGo share
Delivery
Upload crafted HTML file with malicious JavaScript
Exploit
Construct inline-parameter URL bypassing WebClient navigation
Execution
Social-engineer victim into clicking crafted link
Persist
Browser renders HTML in SFTPGo origin
Impact
Execute JavaScript in victim's authenticated session

Vulnerability AssessmentAI

Exploitation Three conditions must be simultaneously satisfied: (1) the attacker must have sufficient access to upload or place an HTML file into a SFTPGo share or user home directory - requiring at minimum low-privilege contributor rights to a share, or control of a public share; (2) a victim must be socially engineered into clicking a manually crafted URL containing the inline query parameter, since no legitimate WebClient flow generates such URLs; and (3) the victim's browser must be authenticated to the WebClient or the targeted share must be public. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 3.7 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N) is internally consistent and accurately reflects the constrained exploitation posture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with contributor access to a SFTPGo share uploads a crafted HTML file containing malicious JavaScript. The attacker constructs a direct download URL appending the inline parameter - a URL the WebClient never generates - and delivers it to a target victim via phishing or chat. …
Remediation Vendor-released patch: v2.7.3. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49245 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy