Description

Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.

INFO

Published Date :

2026-03-10T17:37:26.214Z

Last Modified :

2026-03-11T14:45:33.773Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-30974 vulnerability.

Vendors Products
9001
  • Copyparty
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-30974.

URL Resource
https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5 cve-icon cve-icon
https://github.com/9001/copyparty/releases/tag/v1.20.11 cve-icon cve-icon
https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact