CVEs affecting projects tracked on Release Alert, from NVD & OSV.
CVE-2026-30914 — HIGH severity vulnerability | Release Alert
CVE-2026-30914
8.1
HIGHCVSS v3
Published
March 13, 2026
Affected
3 projects
Assigned by
GitHub
Severity scale
010
Description
SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. This vulnerability is fixed in 2.7.1.
ChocolateySFTPGo allows you to securely share your files over SFTP and optionally over HTTP/S, FTP/S and WebDAV as well.
Several storage backends are supported and they are configurable per-user, so you can serve a local directory for a user and an S3 bucket (or part of it) for another one.
SFTPGo also supports virtual folders. A virtual folder can use any of the supported storage backends. So you can have, for example, a user with the S3 backend mapping a GCS bucket (or part of it) on a specified path and an encrypted local filesystem on another one. Virtual folders can be private or shared among multiple users, for shared virtual folders you can define different quota limits for each user.
SFTPGo allows to create HTTP/S links to externally share files and folders securely, by setting limits to the number of downloads/uploads, protecting the share with a password, limiting access by source IP address, setting an automatic expiration date.
SFTPGo is highly customizable and extensible to suit your needs.
You can find more info [here](https://docs.sftpgo.com/latest/).
### Notes
* This package installs SFTPGo as Windows Service.
* After the first installation please take a look at the [Getting Started Guide](https://docs.sftpgo.com/2.7/initial-configuration/).