Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Copyparty: Malicious Links Can Steal or Delete Files
CVE-2026-27948
GHSA-62cr-6wp5-q43h
Summary
Copyparty has a security weakness that allows hackers to trick users into doing unwanted actions on the server, such as stealing or deleting files. This happens when a user clicks on a malicious link. To protect yourself, be cautious when clicking on links and keep an eye on your server logs for suspicious activity.
What to do
- Update copyparty to version 1.20.9.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | copyparty | <= 1.20.9 | 1.20.9 |
| 9001 | copyparty | <= 1.20.9 | – |
Original title
Copyparty vulnerable to reflected XSS via setck parameter
Original description
### Summary
An XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`
### Details
A reflected cross-site scripting (XSS) vulnerability could allow an attacker to execute malicious javascript by tricking users into accessing a malicious link.
The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link.
### Indicators of Compromise
All attempted attacks (successful or not) would be logged to both the copyparty serverlog and the accesslog of the reverseproxy, and are detected by `grep -E '[?&]setck=[^&"]*%'` (the text `setck=` eventually followed by the `%` character).
An XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`
### Details
A reflected cross-site scripting (XSS) vulnerability could allow an attacker to execute malicious javascript by tricking users into accessing a malicious link.
The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link.
### Indicators of Compromise
All attempted attacks (successful or not) would be logged to both the copyparty serverlog and the accesslog of the reverseproxy, and are detected by `grep -E '[?&]setck=[^&"]*%'` (the text `setck=` eventually followed by the `%` character).
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://nvd.nist.gov/vuln/detail/CVE-2026-27948
- https://github.com/9001/copyparty/releases/tag/v1.20.9
- https://github.com/advisories/GHSA-62cr-6wp5-q43h
- https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048b... Patch
- https://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h Vendor Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026