CVE-2023-41471

HIGH LAB

copyparty <1.9.2 - XSS

Title source: llm

Description

Cross Site Scripting vulnerability in copyparty before 1.9.2 allows a local attacker to execute arbitrary code via a crafted payload to the WEEKEND-PLANS function. NOTE: this is disputed because WEEKEND-PLANS is accessible only to actors who already have write access to the server, and they can more simply upload HTML files containing JavaScript.

References (3)

Core 3

Core References

Product

https://github.com/9001/copyparty

View Writeup ZIP pw:eip

Exploit, Third Party Advisory

https://github.com/Trinity-SYT-SECURITY/XSS_vuln_issue/blob/main/copyparty.md

View Exploit ZIP pw:eip

Release Notes

https://github.com/9001/copyparty/releases/tag/v1.9.2

Scores

CVSS v3 7.8

EPSS 0.0003

EPSS Percentile 8.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull copyparty/ac:latest

docker pull authelia/authelia:4.39.5@sha256:023e02e5203dfa0ebaee7a48b5bae34f393d1f9cada4a9df7fbf87eb1759c671

docker pull valkey/valkey:8.1.3-alpine3.22@sha256:0d27f0bca0249f61d060029a6aaf2e16b2c417d68d02a508e1dfb763fa2948b4

docker pull lscr.io/linuxserver/socket-proxy:3.2.3@sha256:63d2e0ce6bb0d12dfdbde5c3af31d08fee343ec3801a050c8197a3f5ffae8bed

docker pull copyparty/ac

+1 more images

https://github.com/9001/copyparty

https://github.com/Trinity-SYT-SECURITY/XSS_vuln_issue

View in Library

Details

CWE

CWE-79

Status published

Products (1)

9001/copyparty 1.9.1

Published Aug 29, 2025

Tracked Since Feb 18, 2026