[1.4.2] Update sftpgo to 2.7.3 Full Changelog Added a configurable minimum-entropy check (common.secret_min_entropy, default 80) for data-at-rest encryption secrets (CryptFs passphrase, S3 SSE-C key), to reject trivially weak key material at submission time. Logs: added the virtual path to transfer/command logs and to event-log CSV exports. WebClient: replaced glightbox with a custom lightbox implementation for better CSP compatibility. IP list: fixed matching when an IP is covered by multiple conflicting entries. Fixed comparison of unordered slices. Shares: enforce max_tokens atomically via a guarded conditional update, closing a check-then-write race that could let a usage-capped share be used more times than allowed under concurrent access. In-memory reset-code manager: check code expiry at retrieval time instead of relying only on the background cleanup. Fixed a path-confinement bypass in the public browsable-share partial ZIP download. CVE-2026-49244. Fixed a stored XSS where the inline parameter on browsable-share and authenticated user file downloads suppressed Content-Disposition: attachment, allowing an attacker-supplied HTML file to execute in SFTPGo's web origin. These endpoints now always respond with Content-Disposition: attachment and the inline parameter has been removed. CVE-2026-49245. Neutralized CSV formula injection in the Event Manager and event-log CSV exports: cells starting with =, +, -, @, tab or CR are now prefixed with a single quote.