Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Copyparty's nohtml Flag Fails to Stop Malicious SVG Files
GHSA-m6hv-x64c-27mm
CVE-2026-30974
GHSA-m6hv-x64c-27mm
Summary
A bug in Copyparty's nohtml flag allowed users to upload malicious SVG files. If someone with access to the server opens these files, they can be used to delete or upload files on the server. Users should update to version 1.20.11 to fix this issue.
What to do
- Update copyparty to version 1.20.11.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | copyparty | <= 1.20.10 | 1.20.11 |
| – | copyparty | <= 1.20.11 | 1.20.11 |
| 9001 | copyparty | <= 1.20.11 | – |
Original title
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with ...
Original description
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.
ghsa CVSS3.1
4.6
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm
- https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e...
- https://github.com/9001/copyparty/releases/tag/v1.20.11
- https://github.com/advisories/GHSA-m6hv-x64c-27mm
- https://github.com/9001/copyparty Product
- https://nvd.nist.gov/vuln/detail/CVE-2026-30974
Published: 10 Mar 2026 · Updated: 14 Mar 2026 · First seen: 10 Mar 2026