CVE-2026-30974

Опубликовано: 10 мар. 2026

Источник: nvd

CVSS3: 4.6

CVSS3: 5.4

EPSS Низкий

Описание

Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.

Ссылки

https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5
Patch
https://github.com/9001/copyparty/releases/tag/v1.20.11
Product
Release Notes
https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:9001:copyparty:*:*:*:*:*:*:*:*

Версия до 1.20.11 (исключая)

EPSS

Процентиль: 9%

0.00032

Низкий

4.6 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-m6hv-x64c-27mm

CVSS3: 4.6

github

около 1 месяца назад

copyparty: volflag `nohtml` did not block javascript in svg files

EPSS

Процентиль: 9%

0.00032

Низкий

4.6 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79