CVE-2026-30974

Medium CVSS: 4.6

Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.

Vendor

9001

Product

Copyparty

CWE

CWE-79

Yayın Tarihi

2026-03-10 18:18:56

Güncelleme

2026-03-13 20:14:44

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Copyparty MEDIUM 9001 2026

Referanslar

https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5 https://github.com/9001/copyparty/releases/tag/v1.20.11 https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm

Benzer Kayıtlar

Low

CVE-2026-32108

Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the s…

Low

CVE-2026-32109

Copyparty is a portable file server. Prior to 1.20.12, if an attacker has been given both read- and write-permissions to…

Medium

CVE-2026-27948

Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via U…

Medium

CVE-2025-58753

Copyparty is a portable file server. In versions prior to 1.19.8, there was a missing permission-check in the shares fea…

High

CVE-2023-41471

Cross Site Scripting vulnerability in copyparty before 1.9.2 allows a local attacker to execute arbitrary code via a cra…

High

CVE-2025-54796

Copyparty is a portable file server. Versions prior to 1.18.9, the filter parameter for the "Recent Uploads" page allows…