CVE-2026-30974: CVE-2026-30974: Stored Cross-Site Scripting via SVG Uploads in copyparty

#security #cve #cybersecurity

CVE-2026-30974: Stored Cross-Site Scripting via SVG Uploads in copyparty

Vulnerability ID: CVE-2026-30974
CVSS Score: 4.6
Published: 2026-03-10

A Stored Cross-Site Scripting (XSS) vulnerability exists in copyparty prior to version v1.20.11. The 'nohtml' volume configuration flag fails to restrict SVG images, allowing authenticated attackers with write permissions to upload malicious SVGs that execute arbitrary JavaScript when viewed by other users.

TL;DR

copyparty before v1.20.11 fails to sanitize SVG files under the 'nohtml' flag, enabling Stored XSS via embedded script tags in user-uploaded images.

⚠️ Exploit Status: POC

Technical Details

Vulnerability Type: Stored Cross-Site Scripting (CWE-79)
CVSS v3.1 Score: 4.6 (Medium)
Attack Vector: Network
Privileges Required: Low (Write Access)
User Interaction: Required
CISA KEV Status: Not Listed

Affected Systems

copyparty
copyparty: < 1.20.11 (Fixed in: 1.20.11)

Code Analysis

Commit: 1c9f894

Fix stored XSS via SVG uploads by implementing strict MIME allow-listing and CSP headers.

Mitigation Strategies

Upgrade to copyparty v1.20.11 to deploy the corrected MIME type validation logic.
Ensure the 'nohtml' volflag is enabled on all volumes accepting untrusted user uploads.
Enable the newly introduced 'noscript' volflag to enforce a strict script-blocking Content Security Policy.

Remediation Steps:

Identify all copyparty instances running versions prior to v1.20.11.
Download and install the v1.20.11 release or pull the latest container image.
Review the copyparty configuration file (copyparty.conf) or command-line arguments.
Append 'nohtml' and 'noscript' to the configuration flags of user-writable volumes.
Restart the copyparty service to apply the updated binary and configurations.

References

Read the full report for CVE-2026-30974 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community