Copyparty vulnerable to reflected XSS via setck parameter

GHSA-62cr-6wp5-q43h · CVE-2026-27948

Published Feb 26, 2026 · Modified Feb 26, 2026

Description

Summary

An XSS allows for reflected cross-site scripting via URL-parameter ?setck=...

Details

A reflected cross-site scripting (XSS) vulnerability could allow an attacker to execute malicious javascript by tricking users into accessing a malicious link.

The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link.

Indicators of Compromise

All attempted attacks (successful or not) would be logged to both the copyparty serverlog and the accesslog of the reverseproxy, and are detected by grep -E '[?&]setck=[^&"]*%' (the text setck= eventually followed by the % character).

References

WEB https://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-27948
WEB https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc
PACKAGE https://github.com/9001/copyparty
WEB https://github.com/9001/copyparty/releases/tag/v1.20.9

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes