NIXPKGS-2026-0407
GitHub issue
published on 27 Feb 2026
Permalink
CVE-2026-27948
5.4 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
Copyparty vulnerable to eflected cross-site scripting via setck parameter
Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue.
References
Affected products
copyparty
- ==< 1.20.9
Matching in nixpkgs
pkgs.copyparty
turn almost any device into a file server over http(s), webdav, ftp(s), and tftp
pkgs.copyparty-min
turn almost any device into a file server over http(s), webdav, ftp(s), and tftp - minimal variant
pkgs.copyparty-most
turn almost any device into a file server over http(s), webdav, ftp(s), and tftp - most variant
Package maintainers
-
@shelvacu Shelvacu <nix-maint@shelvacu.com>