← volver
CVE-2026-30974

Copyparty volflag `nohtml` did not block javascript in svg files

CVSS 4.6 MEDIUMEPSS 0.3%CWE-79
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Productos afectados
9001 · copyparty

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5https://github.com/9001/copyparty/releases/tag/v1.20.11https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm