Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0407

NIXPKGS-2026-0407
published on
Permalink CVE-2026-27948
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago
Copyparty vulnerable to eflected cross-site scripting via setck parameter

Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue.

Affected products

copyparty
  • ==< 1.20.9

Matching in nixpkgs

pkgs.copyparty

turn almost any device into a file server over http(s), webdav, ftp(s), and tftp

pkgs.copyparty-min

turn almost any device into a file server over http(s), webdav, ftp(s), and tftp - minimal variant

pkgs.copyparty-most

turn almost any device into a file server over http(s), webdav, ftp(s), and tftp - most variant

Package maintainers

Upstream advisory: https://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h
Upstream patch: https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc