Nixpkgs security tracker
Permalink
CVE-2026-30974
4.6 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
by @mweinelt Activity log
- Created suggestion
- @mweinelt dismissed
Copyparty volflag `nohtml` did not block javascript in svg files
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.
References
-
https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm x_refsource_CONFIRM
-
https://github.com/9001/copyparty/releases/tag/v1.20.11 x_refsource_MISC
Affected products
copyparty
- ==< 1.20.11
Matching in nixpkgs
pkgs.copyparty
turn almost any device into a file server over http(s), webdav, ftp(s), and tftp
pkgs.copyparty-min
turn almost any device into a file server over http(s), webdav, ftp(s), and tftp - minimal variant
pkgs.copyparty-most
turn almost any device into a file server over http(s), webdav, ftp(s), and tftp - most variant
Package maintainers
-
@shelvacu Shelvacu <nix-maint@shelvacu.com>