{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30974", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:53:48.816Z", "datePublished": "2026-03-10T17:37:26.214Z", "dateUpdated": "2026-03-11T14:45:33.773Z"}, "containers": {"cna": {"title": "Copyparty volflag `nohtml` did not block javascript in svg files", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm"}, {"name": "https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5", "tags": ["x_refsource_MISC"], "url": "https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5"}, {"name": "https://github.com/9001/copyparty/releases/tag/v1.20.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/9001/copyparty/releases/tag/v1.20.11"}], "affected": [{"vendor": "9001", "product": "copyparty", "versions": [{"version": "< 1.20.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T17:37:26.214Z"}, "descriptions": [{"lang": "en", "value": "Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11."}], "source": {"advisory": "GHSA-m6hv-x64c-27mm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:45:22.362232Z", "id": "CVE-2026-30974", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:45:33.773Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30974", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T14:45:22.362232Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:45:27.811Z"}}], "cna": {"title": "Copyparty volflag `nohtml` did not block javascript in svg files", "source": {"advisory": "GHSA-m6hv-x64c-27mm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "9001", "product": "copyparty", "versions": [{"status": "affected", "version": "< 1.20.11"}]}], "references": [{"url": "https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm", "name": "https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5", "name": "https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/9001/copyparty/releases/tag/v1.20.11", "name": "https://github.com/9001/copyparty/releases/tag/v1.20.11", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T17:37:26.214Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30974", "state": "PUBLISHED", "dateUpdated": "2026-03-11T14:45:33.773Z", "dateReserved": "2026-03-07T17:53:48.816Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T17:37:26.214Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:9001:copyparty:*:*:*:*:*:*:*:*", "matchCriteriaId": "430C3EDB-42FA-41FD-B9FE-739C47155409", "versionEndExcluding": "1.20.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11."}, {"lang": "es", "value": "Copyparty es un servidor de archivos port\u00e1til. Antes de la v1.20.11., la opci\u00f3n de configuraci\u00f3n nohtml, destinada a evitar la ejecuci\u00f3n de JavaScript en archivos HTML subidos por el usuario, no se aplicaba a las im\u00e1genes SVG. Un usuario con permiso de escritura pod\u00eda subir un SVG que conten\u00eda JavaScript incrustado, el cual se ejecutar\u00eda en el contexto de cualquier usuario que lo abriera. Esto ha sido corregido en la v1.20.11."}], "id": "CVE-2026-30974", "lastModified": "2026-03-13T20:14:44.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-10T18:18:56.220", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/9001/copyparty/releases/tag/v1.20.11"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.20.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "copyparty", "source": "cna", "vendor": "9001"}, "product": "copyparty", "vendor": "9001"}], "analysis": {"en": {"generated_at": "2026-04-16T09:41:11.610984+00:00", "value": {"mitigation_remediation": ["Update Copyparty to version\u202f1.20.11 or later, which enforces the nohtml flag on SVG uploads", "Restrict file\u2011upload permissions so that only trusted users can add new files, reducing the attack surface", "Monitor SVG uploads for embedded JavaScript or other suspicious content and consider disabling SVG file types temporarily until the patch is applied"], "summary": {"action": "Patch Now", "impact": "Arbitrary JavaScript execution via unsanitized SVG uploads"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Copyparty product from vendor 9001. Any deployment running a version earlier than 1.20.11 is susceptible. Users should verify their installed version and apply the update if below the mentioned threshold.", "description_and_impact": "Copyparty is a portable file server that allows users to upload files. In versions prior to 1.20.11, the configuration option intended to block JavaScript in uploaded HTML files\u2014the nohtml flag\u2014did not apply to SVG images. An attacker with write permission can embed JavaScript inside an SVG file; when another user opens that file in a browser, the script runs in the context of that user\u2019s browser. This enables cross\u2011site scripting that can steal session cookies, credentials, or execute further client\u2011side attacks.", "risk_and_exploitability": "The CVSS score of 4.6 denotes moderate severity, while the EPSS score of less than 1\u202f% indicates a low likelihood of exploitation in the wild. Copyparty is not listed in the CISA KEV catalog. The attack requires an authenticated user with write permissions to upload a crafted SVG; once uploaded, the malicious code executes in the victim\u2019s browser, compromising client\u2011side confidentiality and integrity but not the server itself."}}}}, "created": "2026-03-11T11:44:45.685960+00:00", "updated": "2026-04-16T09:45:31.675841+00:00", "vendors": ["9001", "9001$PRODUCT$copyparty"]}