Permalink
CVE-2026-30974
4.6 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
by @mweinelt Activity log
- Created automatic suggestion
- @mweinelt dismissed
Copyparty volflag `nohtml` did not block javascript in svg files
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.
References
- https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm x_refsource_CONFIRM
- https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5 x_refsource_MISC
- https://github.com/9001/copyparty/releases/tag/v1.20.11 x_refsource_MISC
Affected products
copyparty
- ==< 1.20.11
Matching in nixpkgs
pkgs.copyparty
turn almost any device into a file server over http(s), webdav, ftp(s), and tftp
pkgs.copyparty-min
turn almost any device into a file server over http(s), webdav, ftp(s), and tftp - minimal variant
pkgs.copyparty-most
turn almost any device into a file server over http(s), webdav, ftp(s), and tftp - most variant
Package maintainers
-
@shelvacu Shelvacu <nix-maint@shelvacu.com>