CVE-2026-27948 PUBLISHED

Copyparty vulnerable to eflected cross-site scripting via setck parameter

Assigner: GitHub_M
Reserved: 25.02.2026 Published: 26.02.2026 Updated: 26.02.2026

Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter ?setck=.... Version 1.20.9 fixes the issue.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS Score: 5.4

Product Status

Vendor 9001
Product copyparty
Versions
  • Version < 1.20.9 is affected

References

Problem Types

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE