Vulnerability Overview Vulnerability ID: EEF-CVE-2026-23942 Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) / SFTP root escape Description: A path traversal vulnerability exists in Erlang OTP (specifically within the module). When the SFTP server uses for string prefix matching to verify if a path resides within the configured root directory, it fails to perform correct path component validation. For instance, if the root directory is set to , paths such as or are incorrectly considered to be within the root directory, allowing unauthorized users to access sibling directories. Affected Scope Affected Package: Erlang OTP ( ) Affected Versions: OTP 17.0 through OTP 28.4.1 OTP 27.3.4.9 OTP 26.2.5.1 Specific list includes: OTP-17., OTP-18., OTP-19., OTP-20., OTP-21., OTP-22., OTP-23., OTP-24., OTP-25., OTP-26., OTP-27., OTP-28., OTP-29., OTP_17., etc. Remediation Fixed Versions: OTP 28.4.1 OTP 27.3.4.9 OTP 26.2.5.1 Git Commit Hashes: POC / Exploit Code The provided screenshot does not contain specific POC code.