CVE-2026-27948

MEDIUM

Copyparty < 1.20.9 - Reflected Cross-Site Scripting via URL Parameter

Title source: llm

Description

Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h

Patch x_refsource_misc

https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc

View Patch ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0016

EPSS Percentile 5.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

9001/copyparty < 1.20.9

pypi/copyparty 0 - 1.20.9PyPI

Published Feb 26, 2026

Tracked Since Feb 26, 2026