SFTPGo Files

New features

• Added a configurable minimum-entropy check (common.secret_min_entropy, default 80) for data-at-rest encryption secrets (CryptFs passphrase, S3 SSE-C key), to reject trivially weak key material at submission time.
• Logs: added the virtual path to transfer/command logs and to event-log CSV exports.
• WebClient: replaced glightbox with a custom lightbox implementation for better CSP compatibility.

Bug fixes

• IP list: fixed matching when an IP is covered by multiple conflicting entries.
• Fixed comparison of unordered slices.
• Shares: enforce max_tokens atomically via a guarded conditional update, closing a check-then-write race that could let a usage-capped share be used more times than allowed under concurrent access.
• In-memory reset-code manager: check code expiry at retrieval time instead of relying only on the background cleanup.

Security fixes

• Fixed a path-confinement bypass in the public browsable-share partial ZIP download. CVE-2026-49244.
• Fixed a stored XSS where the inline parameter on browsable-share and authenticated user file downloads suppressed Content-Disposition: attachment, allowing an attacker-supplied HTML file to execute in SFTPGo's web origin. These endpoints now always respond with Content-Disposition: attachment and the inline parameter has been removed. CVE-2026-49245.

Hardening

• Neutralized CSV formula injection in the Event Manager and event-log CSV exports: cells starting with =, +, -, @, tab or CR are now prefixed with a single quote.
• Username, folder, group and other object names now reject invisible Unicode formatting characters (e.g. zero-width joiners, bidirectional overrides, BOM) and line/paragraph separators, preventing the creation of invisible or visually confusable names and newline-like codepoints that could appear in paths and logs.
• WebClient: trigger a defender event on share login failure.