Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-3vcg-pv95-pq54: SFTPGo has stored XSS via inline parameter on public shares and user file download

0
Low
Published: 07/02/2026 (07/02/2026, 19:09:30 UTC)
Source: GCVE Database
Product: github.com/drakkan/sftpgo/v2

Description

SFTPGo versions 2.2.0 through before 2.7.3 have a stored cross-site scripting (XSS) vulnerability via an inline query parameter on public shares and authenticated user file downloads. This flaw allows an attacker to serve an HTML file as active content within SFTPGo's web origin by suppressing the Content-Disposition: attachment header. Exploitation requires the attacker to place a crafted file and convince a victim to open a specially crafted link, which the WebClient does not generate, thus requiring social engineering. The vulnerability is considered low severity due to constrained exploitation conditions and HttpOnly session cookies preventing cookie theft. The issue is fixed in version 2.7.3 by removing the inline parameter and enforcing Content-Disposition: attachment on these endpoints.

CVSS v3.1

Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Affected software

Goghsa
github.com/drakkan/sftpgo/v2
Affected versions
>=2.2.0 <2.7.3

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 23:14:10 UTC

Technical Analysis

The vulnerability in SFTPGo (CVE-2026-49245) involves a stored XSS caused by an inline query parameter that suppresses the Content-Disposition: attachment header on browsable-share file downloads and authenticated user file downloads. This allows HTML files stored in shares or home directories to be served as text/html and execute scripts in the SFTPGo web origin. Exploitation requires attacker-controlled file placement and victim interaction with a crafted URL, which is not generated by the WebClient, making social engineering necessary. HttpOnly cookies and session cookie overwrites limit the impact, confining realistic exploitation to public shares or shared folders between distinct users. The vulnerability is fixed in SFTPGo version 2.7.3 by removing the inline parameter and always responding with Content-Disposition: attachment.

Potential Impact

The impact is low because exploitation requires specific conditions: attacker must place a malicious HTML file and trick a victim into opening a crafted link. The WebClient does not generate such links, so social engineering is necessary. HttpOnly session cookies prevent the injected script from stealing cookies, and authenticated shares overwrite session cookies, preventing account pivoting. The vulnerability represents a trust-boundary violation by serving attacker-controlled content as active HTML in the same origin, but practical exploitation scenarios are limited.

Mitigation Recommendations

Upgrade SFTPGo to version 2.7.3 or later, where the inline query parameter has been removed and the endpoints always respond with Content-Disposition: attachment, preventing HTML files from being served as active content. This official fix fully mitigates the vulnerability.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-3vcg-pv95-pq54
Osv Schema Version
1.4.0
Aliases
["CVE-2026-49245"]
Ecosystems
["Go"]
Database Specific Severity
LOW
Cvss Version
3.1

Threat ID: 6a46ecbb27e9c7971943cde5

Added to database: 07/02/2026, 22:56:59 UTC

Last enriched: 07/02/2026, 23:14:10 UTC

Last updated: 07/03/2026, 03:26:29 UTC

Views: 7

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses