GHSA-3vcg-pv95-pq54: SFTPGo has stored XSS via inline parameter on public shares and user file download
SFTPGo versions 2.2.0 through before 2.7.3 have a stored cross-site scripting (XSS) vulnerability via an inline query parameter on public shares and authenticated user file downloads. This flaw allows an attacker to serve an HTML file as active content within SFTPGo's web origin by suppressing the Content-Disposition: attachment header. Exploitation requires the attacker to place a crafted file and convince a victim to open a specially crafted link, which the WebClient does not generate, thus requiring social engineering. The vulnerability is considered low severity due to constrained exploitation conditions and HttpOnly session cookies preventing cookie theft. The issue is fixed in version 2.7.3 by removing the inline parameter and enforcing Content-Disposition: attachment on these endpoints.
AI Analysis
Technical Summary
The vulnerability in SFTPGo (CVE-2026-49245) involves a stored XSS caused by an inline query parameter that suppresses the Content-Disposition: attachment header on browsable-share file downloads and authenticated user file downloads. This allows HTML files stored in shares or home directories to be served as text/html and execute scripts in the SFTPGo web origin. Exploitation requires attacker-controlled file placement and victim interaction with a crafted URL, which is not generated by the WebClient, making social engineering necessary. HttpOnly cookies and session cookie overwrites limit the impact, confining realistic exploitation to public shares or shared folders between distinct users. The vulnerability is fixed in SFTPGo version 2.7.3 by removing the inline parameter and always responding with Content-Disposition: attachment.
Potential Impact
The impact is low because exploitation requires specific conditions: attacker must place a malicious HTML file and trick a victim into opening a crafted link. The WebClient does not generate such links, so social engineering is necessary. HttpOnly session cookies prevent the injected script from stealing cookies, and authenticated shares overwrite session cookies, preventing account pivoting. The vulnerability represents a trust-boundary violation by serving attacker-controlled content as active HTML in the same origin, but practical exploitation scenarios are limited.
Mitigation Recommendations
Upgrade SFTPGo to version 2.7.3 or later, where the inline query parameter has been removed and the endpoints always respond with Content-Disposition: attachment, preventing HTML files from being served as active content. This official fix fully mitigates the vulnerability.
GHSA-3vcg-pv95-pq54: SFTPGo has stored XSS via inline parameter on public shares and user file download
Description
SFTPGo versions 2.2.0 through before 2.7.3 have a stored cross-site scripting (XSS) vulnerability via an inline query parameter on public shares and authenticated user file downloads. This flaw allows an attacker to serve an HTML file as active content within SFTPGo's web origin by suppressing the Content-Disposition: attachment header. Exploitation requires the attacker to place a crafted file and convince a victim to open a specially crafted link, which the WebClient does not generate, thus requiring social engineering. The vulnerability is considered low severity due to constrained exploitation conditions and HttpOnly session cookies preventing cookie theft. The issue is fixed in version 2.7.3 by removing the inline parameter and enforcing Content-Disposition: attachment on these endpoints.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in SFTPGo (CVE-2026-49245) involves a stored XSS caused by an inline query parameter that suppresses the Content-Disposition: attachment header on browsable-share file downloads and authenticated user file downloads. This allows HTML files stored in shares or home directories to be served as text/html and execute scripts in the SFTPGo web origin. Exploitation requires attacker-controlled file placement and victim interaction with a crafted URL, which is not generated by the WebClient, making social engineering necessary. HttpOnly cookies and session cookie overwrites limit the impact, confining realistic exploitation to public shares or shared folders between distinct users. The vulnerability is fixed in SFTPGo version 2.7.3 by removing the inline parameter and always responding with Content-Disposition: attachment.
Potential Impact
The impact is low because exploitation requires specific conditions: attacker must place a malicious HTML file and trick a victim into opening a crafted link. The WebClient does not generate such links, so social engineering is necessary. HttpOnly session cookies prevent the injected script from stealing cookies, and authenticated shares overwrite session cookies, preventing account pivoting. The vulnerability represents a trust-boundary violation by serving attacker-controlled content as active HTML in the same origin, but practical exploitation scenarios are limited.
Mitigation Recommendations
Upgrade SFTPGo to version 2.7.3 or later, where the inline query parameter has been removed and the endpoints always respond with Content-Disposition: attachment, preventing HTML files from being served as active content. This official fix fully mitigates the vulnerability.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-3vcg-pv95-pq54
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-49245"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- LOW
- Cvss Version
- 3.1
Threat ID: 6a46ecbb27e9c7971943cde5
Added to database: 07/02/2026, 22:56:59 UTC
Last enriched: 07/02/2026, 23:14:10 UTC
Last updated: 07/03/2026, 03:26:29 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.