CVE-2026-32109
Received Received - Intake
Cross-Site Scripting in Copyparty File Server via .prologue.html Upload

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Copyparty is a portable file server. Prior to 1.20.12, if an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename .prologue.html and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended behavior that the JavaScript would execute if the target clicks a link to the HTML file itself; "https://example.com/foo/.prologue.html". The vulnerability is that "https://example.com/foo/?b" would also evaluate the file, making the behavior unexpected. There are existing preventative measures (strict SameSite cookies) which makes it harder to leverage this vulnerability in an attack; in order to gain control of the target's authenticated session, the link must be clicked from a page served by the server itself -- most likely by editing an existing resource, which would require additional access permissions. Finally, for this attack to be successful, the attacker's target must click the specific crafted link given by the attacker. This vulnerability is not activated by normally browsing the web-UI on the server. This vulnerability is fixed in 1.20.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32109
EUVD
EUVD-2026-11379
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
9001 copyparty to 1.20.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Copyparty, a portable file server, in versions prior to 1.20.12. If an attacker has both read and write permissions on the server, they can upload a malicious file named .prologue.html. By crafting a specific link, the attacker can cause arbitrary JavaScript within that file to execute in the victim's browser context unexpectedly.

Normally, JavaScript in .prologue.html executes only when the user accesses the file directly (e.g., https://example.com/foo/.prologue.html). The vulnerability is that the JavaScript also executes when accessing a URL like https://example.com/foo/?b, which is unexpected behavior.

Exploitation requires the victim to click a specially crafted link, and existing security measures such as strict SameSite cookies make exploitation harder. Additionally, the attacker would need to have sufficient permissions to upload or modify resources on the server.

This issue was fixed in Copyparty version 1.20.12.

Impact Analysis

If exploited, this vulnerability can lead to the execution of arbitrary JavaScript code in the context of a victim's browser session when they click a crafted link. This could potentially allow an attacker to perform actions on behalf of the victim within the web application.

However, the impact is limited by several factors: the attacker must have both read and write permissions on the server, the victim must click the malicious link, and strict SameSite cookie policies reduce the risk of session hijacking.

The CVSS score of 3.7 (low severity) reflects that the vulnerability requires user interaction and has limited impact on confidentiality and integrity.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Copyparty to version 1.20.12 or later, where the issue is fixed.

Additionally, ensure that users do not click on crafted links that exploit the vulnerability, especially links with query parameters that cause unexpected JavaScript execution.

Restrict read and write permissions carefully to prevent attackers from uploading malicious .prologue.html files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32109. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart