{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27948", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:11:36.690Z", "datePublished": "2026-02-26T01:32:15.184Z", "dateUpdated": "2026-02-26T15:07:56.702Z"}, "containers": {"cna": {"title": "Copyparty vulnerable to eflected cross-site scripting via setck parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h"}, {"name": "https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc", "tags": ["x_refsource_MISC"], "url": "https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc"}], "affected": [{"vendor": "9001", "product": "copyparty", "versions": [{"version": "< 1.20.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T01:32:15.184Z"}, "descriptions": [{"lang": "en", "value": "Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue."}], "source": {"advisory": "GHSA-62cr-6wp5-q43h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T15:06:14.581010Z", "id": "CVE-2026-27948", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:07:56.702Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27948", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T15:06:14.581010Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:06:30.004Z"}}], "cna": {"title": "Copyparty vulnerable to eflected cross-site scripting via setck parameter", "source": {"advisory": "GHSA-62cr-6wp5-q43h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "9001", "product": "copyparty", "versions": [{"status": "affected", "version": "< 1.20.9"}]}], "references": [{"url": "https://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h", "name": "https://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc", "name": "https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T01:32:15.184Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27948", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:07:56.702Z", "dateReserved": "2026-02-25T03:11:36.690Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T01:32:15.184Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:9001:copyparty:*:*:*:*:*:*:*:*", "matchCriteriaId": "2F7BCD65-4E73-467D-B9AF-D514441AEA9A", "versionEndExcluding": "1.20.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue."}], "id": "CVE-2026-27948", "lastModified": "2026-02-28T00:56:59.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-26T02:16:22.733", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.20.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "copyparty", "source": "cna", "vendor": "9001"}, "product": "copyparty", "vendor": "9001"}], "analysis": {"en": {"generated_at": "2026-04-18T17:36:46.895659+00:00", "value": {"mitigation_remediation": ["Upgrade Copyparty to version 1.20.9 or later, where the vulnerable setck parameter handling has been fixed", "If an immediate upgrade is not feasible, restrict public access to the server and enforce authentication to limit the attacker\u2019s ability to deliver malicious URLs", "Apply appropriate content\u2011security\u2011policy headers and ensure that all user\u2011supplied input is properly escaped before rendering"], "summary": {"action": "Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Versions of Copyparty less than 1.20.9 are affected. The software is available as a self\u2011hosted file sharing service.", "description_and_impact": "Copyparty, a portable file server, has a reflected cross\u2011site scripting flaw in its setck URL parameter. The vulnerability allows an attacker to inject malicious JavaScript that executes in the victim\u2019s browser, potentially exposing cookies, session tokens, or other sensitive data. This flaw falls under the input\u2011validation weakness identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate risk, while the EPSS score of less than 1% shows that the probability of exploitation is very low at present. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must supply a crafted URL containing the setck parameter and persuade a victim to visit the link, making user interaction a prerequisite for exploitation. Nonetheless, the impact on confidentiality warrants prompt remedial action."}}}}, "created": "2026-02-26T13:09:59.001721+00:00", "updated": "2026-04-18T17:45:06.056426+00:00", "vendors": ["9001", "9001$PRODUCT$copyparty"]}