CVE-2026-27948

Description

Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected products

9001 / copyparty< 1.20.9 – < 1.20.9

References

VENDOR_ADVISORYhttps://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h
PATCHhttps://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc