Description
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.
Published: 2026-03-10
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary JavaScript execution via unsanitized SVG uploads
Action: Patch Now
AI Analysis

Impact

Copyparty is a portable file server that allows users to upload files. In versions prior to 1.20.11, the configuration option intended to block JavaScript in uploaded HTML files—the nohtml flag—did not apply to SVG images. An attacker with write permission can embed JavaScript inside an SVG file; when another user opens that file in a browser, the script runs in the context of that user’s browser. This enables cross‑site scripting that can steal session cookies, credentials, or execute further client‑side attacks.

Affected Systems

The vulnerability affects the Copyparty product from vendor 9001. Any deployment running a version earlier than 1.20.11 is susceptible. Users should verify their installed version and apply the update if below the mentioned threshold.

Risk and Exploitability

The CVSS score of 4.6 denotes moderate severity, while the EPSS score of less than 1 % indicates a low likelihood of exploitation in the wild. Copyparty is not listed in the CISA KEV catalog. The attack requires an authenticated user with write permissions to upload a crafted SVG; once uploaded, the malicious code executes in the victim’s browser, compromising client‑side confidentiality and integrity but not the server itself.

Generated by OpenCVE AI on April 16, 2026 at 09:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Copyparty to version 1.20.11 or later, which enforces the nohtml flag on SVG uploads
  • Restrict file‑upload permissions so that only trusted users can add new files, reducing the attack surface
  • Monitor SVG uploads for embedded JavaScript or other suspicious content and consider disabling SVG file types temporarily until the patch is applied

Generated by OpenCVE AI on April 16, 2026 at 09:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m6hv-x64c-27mm copyparty: volflag `nohtml` did not block javascript in svg files
History

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:9001:copyparty:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared 9001
9001 copyparty
Vendors & Products 9001
9001 copyparty

Tue, 10 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.
Title Copyparty volflag `nohtml` did not block javascript in svg files
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

9001 Copyparty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T14:45:33.773Z

Reserved: 2026-03-07T17:53:48.816Z

Link: CVE-2026-30974

cve-icon Vulnrichment

Updated: 2026-03-11T14:45:27.811Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:56.220

Modified: 2026-03-13T20:14:44.720

Link: CVE-2026-30974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses