15 matches found
CVE-2026-30974
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the...
CVE-2026-30974
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the...
CVE-2026-30974 Copyparty volflag `nohtml` did not block javascript in svg files
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the...
CVE-2026-30974
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the...
CVE-2026-30974 Copyparty volflag `nohtml` did not block javascript in svg files
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the...
CVE-2026-30974 Copyparty volflag `nohtml` did not block javascript in svg files
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the...
CVE-2026-30974
The copyparty advisory GHSA-M6HV-X64C-27MM describes a vulnerability where the nohtml volflag failed to block JavaScript in SVG files. Although not a vulnerability by itself, this allowed a user with write access to upload an SVG containing embedded JavaScript that could execute when opened, pote...
EUVD-2026-10712
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the nohtml configuration option not applying to SVG files. An attacker can execute arbitrary JavaScript code in the context of the user who opens a malicious SVG by uploading a crafted SVG file containing...
EUVD-2026-10711
copyparty: volflag nohtml did not block javascript in svg files...
GHSA-M6HV-X64C-27MM copyparty: volflag `nohtml` did not block javascript in svg files
Summary The nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. Details A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This in...
copyparty: volflag `nohtml` did not block javascript in svg files
Summary The nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. Details A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This in...
Copyparty 跨站脚本漏洞
Copyparty is a portable file server developed by Ed’s individual developer. Versions of Copyparty prior to v1.20.11 contained a cross-site scripting vulnerability. This vulnerability stemmed from the nohtml configuration option not being applied to SVG images, which could lead to the execution of...
PT-2026-24194
Name of the Vulnerable Software and Affected Versions Copyparty versions prior to 1.20.11 Description Copyparty’s nohtml configuration option, designed to block JavaScript execution in uploaded HTML files, did not extend to SVG images. A user with write access could upload an SVG file containing...
GHSA-V358-RVXR-WFFX Silverstripe XSS Vulnerabilities
Multiple cross-site scripting XSS vulnerabilities in SilverStripe 2.3.x before 2.3.13 and 2.4.x before 2.4.7 allow remote attackers to inject arbitrary web script or HTML via 1. a crafted string to the AbsoluteLinks 1. BigSummary 1. ContextSummary 1. EscapeXML 1. FirstParagraph 1. FirstSentence 1...