sftpgo

v2.7.3 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 4d File Storage & Sync

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

azure-blob cloud-storage data-at-rest-encryption docker ftp ftp-server

+12 more

go google-cloud-storage multi-factor-authentication portable prometheus proxy-protocol s3 scp sftp sftp-server webdav webdav-server

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 4d

The v2.7.3 release patches a path‑confinement bypass in the browsable‑share ZIP download and eliminates stored XSS by enforcing proper Content‑Disposition headers on file downloads.

Why it matters: Addresses two high‑severity security flaws (severities 95) affecting public share endpoints; operators should upgrade immediately to prevent remote code execution or cross‑site scripting attacks.

Summary

AI summary

Updates Bug fixes, New features, and Hardening across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes path-confinement bypass in browsable-share ZIP download. Fixes path-confinement bypass in browsable-share ZIP download. Source: llm_adapter@2026-05-31 Confidence: high	—
Security	Critical	Fixes stored XSS by enforcing attachment Content-Disposition and removes inline parameter. Fixes stored XSS by enforcing attachment Content-Disposition and removes inline parameter. Source: llm_adapter@2026-05-31 Confidence: high	—
Feature
Feature	Medium	Adds configurable minimum‑entropy check for data‑at‑rest encryption secrets (default 80). Adds configurable minimum‑entropy check for data‑at‑rest encryption secrets (default 80). Source: llm_adapter@2026-05-31 Confidence: high	—
Feature	Medium	Adds virtual path information to transfer/command logs and event‑log CSV exports. Adds virtual path information to transfer/command logs and event‑log CSV exports. Source: llm_adapter@2026-05-31 Confidence: high	—
Feature	Medium	Replaces glightbox with custom lightbox in WebClient for better CSP compatibility. Replaces glightbox with custom lightbox in WebClient for better CSP compatibility. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix
Bugfix	High	Enforces max_tokens atomically, fixing check‑then‑write race in shares. Enforces max_tokens atomically, fixing check‑then‑write race in shares. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Checks reset‑code expiry at retrieval time in in‑memory manager. Checks reset‑code expiry at retrieval time in in‑memory manager. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Fixes IP list matching when an IP is covered by multiple conflicting entries. Fixes IP list matching when an IP is covered by multiple conflicting entries. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Fixes comparison of unordered slices. Fixes comparison of unordered slices. Source: llm_adapter@2026-05-31 Confidence: high	—
Other	Low	Neutralizes CSV formula injection by prefixing risky cell values with a single quote in Event Manager and exports. Neutralizes CSV formula injection by prefixing risky cell values with a single quote in Event Manager and exports. Source: llm_adapter@2026-05-31 Confidence: low	—

Full changelog

New features

Added a configurable minimum-entropy check (common.secret_min_entropy, default 80) for data-at-rest encryption secrets (CryptFs passphrase, S3 SSE-C key), to reject trivially weak key material at submission time.
Logs: added the virtual path to transfer/command logs and to event-log CSV exports.
WebClient: replaced glightbox with a custom lightbox implementation for better CSP compatibility.

Bug fixes

IP list: fixed matching when an IP is covered by multiple conflicting entries.
Fixed comparison of unordered slices.
Shares: enforce max_tokens atomically via a guarded conditional update, closing a check-then-write race that could let a usage-capped share be used more times than allowed under concurrent access.
In-memory reset-code manager: check code expiry at retrieval time instead of relying only on the background cleanup.

Security fixes

Fixed a path-confinement bypass in the public browsable-share partial ZIP download. CVE-2026-49244.
Fixed a stored XSS where the inline parameter on browsable-share and authenticated user file downloads suppressed Content-Disposition: attachment, allowing an attacker-supplied HTML file to execute in SFTPGo's web origin. These endpoints now always respond with Content-Disposition: attachment and the inline parameter has been removed. CVE-2026-49245.

Hardening

Neutralized CSV formula injection in the Event Manager and event-log CSV exports: cells starting with =, +, -, @, tab or CR are now prefixed with a single quote.
Username, folder, group and other object names now reject invisible Unicode formatting characters (e.g. zero-width joiners, bidirectional overrides, BOM) and line/paragraph separators, preventing the creation of invisible or visually confusable names and newline-like codepoints that could appear in paths and logs.
WebClient: trigger a defender event on share login failure.

Security Fixes

CVE-2026-49244 — Fixed path-confinement bypass in public browsable-share partial ZIP download.
CVE-2026-49245 — Fixed stored XSS on browsable‑share and authenticated user file downloads; `inline` parameter removed, always sends `Content-Disposition: attachment`.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track sftpgo

Get notified when new releases ship.

About sftpgo

Full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob

All releases →