New features
- Added a configurable minimum-entropy check (
common.secret_min_entropy, default 80) for data-at-rest encryption secrets (CryptFs passphrase, S3 SSE-C key), to reject trivially weak key material at submission time. - Logs: added the virtual path to transfer/command logs and to event-log CSV exports.
- WebClient: replaced glightbox with a custom lightbox implementation for better CSP compatibility.
Bug fixes
- IP list: fixed matching when an IP is covered by multiple conflicting entries.
- Fixed comparison of unordered slices.
- Shares: enforce
max_tokensatomically via a guarded conditional update, closing a check-then-write race that could let a usage-capped share be used more times than allowed under concurrent access. - In-memory reset-code manager: check code expiry at retrieval time instead of relying only on the background cleanup.
Security fixes
- Fixed a path-confinement bypass in the public browsable-share partial ZIP download. CVE-2026-49244.
- Fixed a stored XSS where the
inlineparameter on browsable-share and authenticated user file downloads suppressedContent-Disposition: attachment, allowing an attacker-supplied HTML file to execute in SFTPGo's web origin. These endpoints now always respond withContent-Disposition: attachmentand theinlineparameter has been removed. CVE-2026-49245.
Hardening
- Neutralized CSV formula injection in the Event Manager and event-log CSV exports: cells starting with
=,+,-,@, tab or CR are now prefixed with a single quote. - Username, folder, group and other object names now reject invisible Unicode formatting characters (e.g. zero-width joiners, bidirectional overrides, BOM) and line/paragraph separators, preventing the creation of invisible or visually confusable names and newline-like codepoints that could appear in paths and logs.
- WebClient: trigger a defender event on share login failure.