CVE-2026-32109 - Vulnerability Details

Description

Copyparty is a portable file server. Prior to 1.20.12, if an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename .prologue.html and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended behavior that the JavaScript would execute if the target clicks a link to the HTML file itself; "https://example.com/foo/.prologue.html". The vulnerability is that "https://example.com/foo/?b" would also evaluate the file, making the behavior unexpected. There are existing preventative measures (strict SameSite cookies) which makes it harder to leverage this vulnerability in an attack; in order to gain control of the target's authenticated session, the link must be clicked from a page served by the server itself -- most likely by editing an existing resource, which would require additional access permissions. Finally, for this attack to be successful, the attacker's target must click the specific crafted link given by the attacker. This vulnerability is not activated by normally browsing the web-UI on the server. This vulnerability is fixed in 1.20.12.

Published: 2026-03-11

Score: 3.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability allows an attacker who can write to the Copyparty server to upload a file named ".prologue.html" containing malicious JavaScript. Normally the script would run only when the file is accessed directly via a URL such as https://example.com/foo/.prologue.html. However, the server also evaluates the file when accessing the directory with a query string, e.g., https://example.com/foo/?b. Consequently, an attacker can craft a link that causes the JavaScript to execute in an unsuspecting victim’s browser. Because the script runs with the victim’s authenticated session, the attacker can perform actions such as session hijacking, data exfiltration, or further exploitation. The weakness corresponds to CWE‑79 (Cross‑Site Scripting).

Affected Systems

The issue affects Copyparty version 9001:copyparty prior to 1.20.12. All installations that have both read and write permissions for an attacker on a directory are vulnerable. The product is listed under cpe:2.3:a:9001:copyparty.

Risk and Exploitability

The CVSS base score is 3.7, categorising the flaw as Low severity, and the EPSS score is less than 1%, indicating a low likelihood of exploitation in the wild. It is not present in the CISA KEV catalog. Exploitation requires the attacker to have write access to create .prologue.html and the victim to click a specific crafted link served by the same domain. While SameSite=Strict cookies reduce the risk, the attack is still feasible if the user interacts with the malicious link. Overall risk is moderate for environments with permissive write access, but low for strongly isolated configurations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

9001

copyparty

affected

Version	Status	Constraints
`< 1.20.12`	affected	—

Configuration 1 [-]

cpe:2.3:a:9001:copyparty:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

9001

Copyparty

100%

Version	Status	Scheme	Platform
`[0,1.20.12)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Copyparty to version 1.20.12 or later.
Revoke write permissions for untrusted users or restrict write access to the server’s upload directories.
Configure session cookies with SameSite=Strict to reduce the chance of session hijacking via crafted URLs.
Avoid placing or serving .prologue.html files in publicly accessible directories.
If an update is not possible, monitor for suspicious links containing query strings like '?b' and block or remove them.

Generated by OpenCVE AI on March 17, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-rcp6-88mm-9vgf	Copyparty has unexpected JavaScript execution via crafted URL to folder with `.prologue.html`

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/9001/copyparty/security/advisories/GHSA-rcp6-88mm-9vgf

History

Fri, 13 Mar 2026 16:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:9001:copyparty::::::::

Thu, 12 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		9001 9001 copyparty
Vendors & Products		9001 9001 copyparty

Wed, 11 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		Copyparty is a portable file server. Prior to 1.20.12, if an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename .prologue.html and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended behavior that the JavaScript would execute if the target clicks a link to the HTML file itself; "https://example.com/foo/.prologue.html". The vulnerability is that "https://example.com/foo/?b" would also evaluate the file, making the behavior unexpected. There are existing preventative measures (strict SameSite cookies) which makes it harder to leverage this vulnerability in an attack; in order to gain control of the target's authenticated session, the link must be clicked from a page served by the server itself -- most likely by editing an existing resource, which would require additional access permissions. Finally, for this attack to be successful, the attacker's target must click the specific crafted link given by the attacker. This vulnerability is not activated by normally browsing the web-UI on the server. This vulnerability is fixed in 1.20.12.
Title		Copyparty has unexpected JavaScript execution via crafted URL to folder with `.prologue.html`
Weaknesses		CWE-79
References		https://github.com/9001/copyparty/security/advisories/GHSA-rcp6-88mm-9vgf
Metrics		cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N'}`

Subscriptions

9001 Copyparty

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-11T20:16:34.480Z

Updated: 2026-03-12T19:45:30.412Z

Reserved: 2026-03-10T22:02:38.854Z

Link: CVE-2026-32109

Vulnrichment

Updated: 2026-03-12T19:45:27.180Z

NVD

Status : Analyzed

Published: 2026-03-11T21:16:16.913

Modified: 2026-03-13T15:51:01.343

Link: CVE-2026-32109

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-20T15:37:18Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object