27 matches found
PYSEC-2026-31
Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature the shr global-option. This vulnerability only applies when the shares feature is used for the specific purpose of creating a share of just a single file inside a folder or either the...
CVE-2026-27948 Copyparty vulnerable to eflected cross-site scripting via setck parameter
Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter ?setck=.... Version 1.20.9 fixes the issue...
CVE-2023-41471
CVE-2023-41471 affects copyparty prior to 1.9.2, enabling Cross-Site Scripting via the WEEKEND-PLANS function. The vulnerability is exploitable by a local attacker (with write access) and can lead to arbitrary code execution in the user's browser. Some sources note debate over the practical impac...
GHSA-5662-2RJ7-F2V6 copyparty allows Regex Denial of Service (ReDoS) in the upload listing
Summary The filter parameter for the "Recent uploads" page allows arbitrary Regexes. If this feature is enabled which is the default, an attacker can craft a filter which deadlocks the server. PoC https://127.0.0.1:3923/?ru&filter=.++x Impact The server becomes fully inaccessible for a long time...
CVE-2025-54589
Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at /?ru, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a...
CVE-2025-54796
Copyparty is a portable file server. Versions prior to 1.18.9, the filter parameter for the "Recent Uploads" page allows arbitrary RegExes. If this feature is enabled which is the default, an attacker can craft a filter which deadlocks the server. This is fixed in version 1.18.9...
CVE-2025-54796 Copyparty is vulnerable to Regex Denial of Service (ReDoS) attacks through "Recent Uploads" page
Copyparty is a portable file server. Versions prior to 1.18.9, the filter parameter for the "Recent Uploads" page allows arbitrary RegExes. If this feature is enabled which is the default, an attacker can craft a filter which deadlocks the server. This is fixed in version 1.18.9...
CVE-2025-54796 Copyparty is vulnerable to Regex Denial of Service (ReDoS) attacks through "Recent Uploads" page
Copyparty is a portable file server. Versions prior to 1.18.9, the filter parameter for the "Recent Uploads" page allows arbitrary RegExes. If this feature is enabled which is the default, an attacker can craft a filter which deadlocks the server. This is fixed in version 1.18.9...
CVE-2025-54796
CVE-2025-54796 concerns Copyparty, a portable file server. The vulnerability affects versions prior to 1.18.9 where the filter parameter on the "Recent Uploads" page accepts arbitrary RegExes. When this feature is enabled (the default), an attacker can craft a regex-based filter that deadlocks th...
PT-2025-31710 · Copyparty · Copyparty
Name of the Vulnerable Software and Affected Versions: Copyparty versions prior to 1.18.9 Description: Copyparty is a portable file server. The filter parameter for the "Recent Uploads" page allows arbitrary Regular Expressions RegExes. If this feature is enabled by default, an attacker can craft...
Exploit for CVE-2025-54589
CVE-2025-54589 – Copyparty Reflected XSS Author: Byte Rea...
CVE-2025-54589 copyparty Reflected XSS via Filter Parameter
Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at /?ru, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a block without proper escaping...
CVE-2025-54589 copyparty Reflected XSS via Filter Parameter
Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at /?ru, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a block without proper escaping...
CVE-2025-54589
Copyparty ≤1.18.6 is vulnerable to reflected XSS via the filter parameter on the /?ru endpoint. The input is echoed into a script block without proper escaping, enabling arbitrary JavaScript execution in victim browsers for both authenticated and unauthenticated users. The issue is fixed in versi...
CVE-2025-54589 copyparty Reflected XSS via Filter Parameter
Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at /?ru, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a block without proper escaping...
PT-2025-31523 · Copyparty · Copyparty
Name of the Vulnerable Software and Affected Versions: Copyparty versions 1.18.6 and below Description: Copyparty is a portable file server susceptible to a reflected Cross-Site Scripting XSS issue. When accessing the recent uploads page at /?ru, the application does not properly escape...
CVE-2025-54423
copyparty is a portable file server. In versions up to and including versions 1.18.4, an unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multimedia tags in music files, including m3u files. This is fixed in version 1.18.5...
CVE-2025-54423
CVE-2025-54423 affects the Copyparty portable file server. Versions up to and including 1.18.4 allow an unauthenticated attacker to execute arbitrary JavaScript in a victim’s browser due to improper sanitization of multimedia tags in music files (including m3u). This is a DOM-based XSS vulnerabil...
PT-2025-31150 · Copyparty · Copyparty
Name of the Vulnerable Software and Affected Versions: copyparty versions up to and including 1.18.4 Description: copyparty is a portable file server susceptible to cross-site scripting XSS. An unauthenticated attacker can execute arbitrary JavaScript code in a victim’s browser due to improper...
DOM-based Cross-site Scripting (XSS)
copyparty is vulnerable to DOM-based cross-site scripting. The vulnerability is due to improper handling of maliciously named files during drag-and-drop actions in the Web UI, allowing arbitrary JavaScript execution...