CVE-2026-47187: Symlink escape - rogue SFTP server -> local file read/write Severity: Critical (CVSS 9.3, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) CWE: CWE-59 (Improper Link Resolution Before File Access) A rogue SFTP server can return symlink targets (absolute paths or relative "../../../" escapes) that sshfs passes to the kernel unchanged. The kernel resolves them on the client's local filesystem, so an ordinary "cp" through the mountpoint can read local files back