The Party Pooper: Reflected XSS in Copyparty (CVE-2026-27948)
Vulnerability ID: CVE-2026-27948
CVSS Score: 5.4
Published: 2026-02-26
A classic Reflected Cross-Site Scripting (XSS) vulnerability exists in the 'copyparty' portable file server, specifically within the 'setck' URL parameter used for setting client-side configuration cookies. This flaw allows unauthenticated attackers to inject malicious JavaScript into the server's response, potentially leading to session hijacking, unauthorized file access, or administrative account takeover when a victim clicks a crafted link.
TL;DR
Copyparty < 1.20.9 reflects the 'setck' query parameter directly into the HTML response without sanitization. Attackers can use this to execute arbitrary JavaScript in a victim's browser. Patch adds strict allowlisting (alphanumeric only) and length limits.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-79 (XSS)
- Attack Vector: Network (Reflected)
- CVSS v3.1: 5.4 (Medium)
- EPSS Score: 0.00029 (Low)
- Privileges Required: None
- User Interaction: Required
Affected Systems
- copyparty < 1.20.9
-
copyparty: < 1.20.9 (Fixed in:
1.20.9)
Code Analysis
Commit: 31b2801
Fix XSS in setck, enforce strict char whitelist and length limit
RE_SETCK = re.compile(r'[^0-9a-z=]')
...
if len(zs) > 9 or RE_SETCK.search(zs):
raise Pebkac(400, 'illegal value')
Exploit Details
- Hypothetical: Standard XSS Proof of Concept using script tags.
Mitigation Strategies
- Input Validation: Whitelist allowed characters (alphanumeric only).
- Output Encoding: Ensure reflected data is context-aware encoded.
- Cookie Security: Use HttpOnly cookies to prevent JavaScript access to session tokens.
Remediation Steps:
- Stop the running copyparty instance.
- Update copyparty to version 1.20.9 or higher using pip:
pip install -U copyparty. - Verify the version:
python3 -m copyparty --version. - Restart the service.
References
Read the full report for CVE-2026-27948 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)