Go modules package
github.com/drakkan/sftpgo/v2
pkg:golang/github.com/drakkan/sftpgo/v2
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-30915 | — | >= 2.3.0, < 2.7.1 | 2.7.1 | Mar 13, 2026 | SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key pr | ||
| CVE-2026-30914 | — | < 2.7.1 | 2.7.1 | Mar 13, 2026 | SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft sp | ||
| CVE-2025-24366 | Hig | 7.5 | >= 0.9.5, < 2.6.5 | 2.6.5 | Feb 7, 2025 | SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it | |
| CVE-2024-52801 | Med | — | >= 2.3.0, < 2.6.4 | 2.6.4 | Nov 29, 2024 | sftpgo is a full-featured and highly configurable event-driven file transfer solution. Server protocols: SFTP, HTTP/S, FTP/S, WebDAV. The OpenID Connect implementation allows authenticated users to brute force session cookies and thereby gain access to other users' data, since th | |
| CVE-2024-52309 | Med | — | >= 2.4.0, < 2.6.3 | 2.6.3 | Nov 21, 2024 | SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature i | |
| CVE-2024-37897 | Med | 5.4 | >= 2.2.0, < 2.6.1 | 2.6.1 | Jun 20, 2024 | SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the | |
| CVE-2022-36071 | — | >= 2.2.0, < 2.3.4 | 2.3.4 | Sep 2, 2022 | SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, s |
- CVE-2026-30915Mar 13, 2026affected >= 2.3.0, < 2.7.1fixed 2.7.1
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key pr
- CVE-2026-30914Mar 13, 2026affected < 2.7.1fixed 2.7.1
SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft sp
- affected >= 0.9.5, < 2.6.5fixed 2.6.5
SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it
- affected >= 2.3.0, < 2.6.4fixed 2.6.4
sftpgo is a full-featured and highly configurable event-driven file transfer solution. Server protocols: SFTP, HTTP/S, FTP/S, WebDAV. The OpenID Connect implementation allows authenticated users to brute force session cookies and thereby gain access to other users' data, since th
- affected >= 2.4.0, < 2.6.3fixed 2.6.3
SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature i
- affected >= 2.2.0, < 2.6.1fixed 2.6.1
SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the
- CVE-2022-36071Sep 2, 2022affected >= 2.2.0, < 2.3.4fixed 2.3.4
SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, s