Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30974 is a cross-site scripting (XSS) vulnerability in the copyparty file server prior to version 1.20.11. The vulnerability arises because the "nohtml" configuration option, which is intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG image files. This allowed a user with write permissions to upload an SVG file containing embedded JavaScript. When another user opens this SVG file, the malicious JavaScript executes in their context.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 1.20.11 by enhancing the "nohtml" flag to also treat SVG images as plaintext, disabling script execution. Additionally, a new "noscript" flag was introduced to block JavaScript execution via strict Content-Security-Policy headers.'}] [1, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a malicious user with write access to upload SVG files containing JavaScript that executes when opened by other users. The impact includes the potential for the malicious script to move, delete, or upload files on the server with the privileges of the user who opens the SVG file.

The CVSS v3.1 base score is 4.6, indicating a moderate severity. The attack requires low complexity and low privileges but does require user interaction (opening the SVG file). The confidentiality and integrity impacts are low, and there is no impact on availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if your copyparty server is running a version prior to v1.20.11 where the nohtml flag does not prevent JavaScript execution in SVG files.'}, {'type': 'paragraph', 'content': 'You can check the version of copyparty running on your system by executing a command to display the version, for example:'}, {'type': 'list_item', 'content': 'python copyparty.py --version'}, {'type': 'list_item', 'content': 'or if using Docker, check the image tag or container labels.'}, {'type': 'paragraph', 'content': 'Additionally, you can scan uploaded files on your server for SVG files that may contain embedded JavaScript by searching for <script> tags or event handlers within SVG files in your upload directories. For example, using grep:'}, {'type': 'list_item', 'content': "grep -r --include='*.svg' '<script' /path/to/copyparty/uploads"}, {'type': 'list_item', 'content': "grep -r --include='*.svg' 'onload=' /path/to/copyparty/uploads"}, {'type': 'paragraph', 'content': 'Monitoring HTTP headers and responses for the presence or absence of security headers like Content-Security-Policy (CSP) can also help detect if the noscript flag or nohtml flag enhancements are active.'}] [1, 2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate mitigation step is to upgrade your copyparty installation to version 1.20.11 or later, where the vulnerability has been fixed.

This update includes enhancements to the nohtml flag to also treat SVG images as plaintext and disables JavaScript execution by enabling a new noscript flag that applies strict Content-Security-Policy headers.

If upgrading immediately is not possible, consider enabling the noscript flag independently to block most JavaScript execution, and configure your server or reverse proxy to enforce strict Content-Security-Policy headers.

Additionally, restrict write permissions to trusted users only to prevent uploading of malicious SVG files.

Running copyparty behind a reverse proxy with Unix socket binding is recommended to improve access control and security.

Finally, consider scanning existing uploaded SVG files for embedded scripts and removing or sanitizing any suspicious files.

Useful 0 Not Useful 0