CVE-2026-27948
published 2026-02-26CVE-2026-27948: Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version…
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.16%
5.9th percentile
Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 9001 | copyparty | < 1.20.9 | 1.20.9 |
| 9001 | copyparty | >= 0 < 1.20.9 | 1.20.9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Copyparty vulnerable to reflected XSS via setck parameter
ghsa·2026-02-26
CVE-2026-27948 [MEDIUM] CWE-79 Copyparty vulnerable to reflected XSS via setck parameter
Copyparty vulnerable to reflected XSS via setck parameter
### Summary
An XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`
### Details
A reflected cross-site scripting (XSS) vulnerability could allow an attacker to execute malicious javascript by tricking users into accessing a malicious link.
The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link.
### Indicators of Compromise
All attempted attacks (successful or not) would be logged to both the copyparty serverlog and the accesslog of the reverseproxy, and are detected by `grep -E '[?&]setck=[^&"]*%'` (the text `setck=` eventually followed by the `%` character).
OSV
Copyparty vulnerable to reflected XSS via setck parameter
osv·2026-02-26
CVE-2026-27948 [MEDIUM] Copyparty vulnerable to reflected XSS via setck parameter
Copyparty vulnerable to reflected XSS via setck parameter
### Summary
An XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`
### Details
A reflected cross-site scripting (XSS) vulnerability could allow an attacker to execute malicious javascript by tricking users into accessing a malicious link.
The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link.
### Indicators of Compromise
All attempted attacks (successful or not) would be logged to both the copyparty serverlog and the accesslog of the reverseproxy, and are detected by `grep -E '[?&]setck=[^&"]*%'` (the text `setck=` eventually followed by the `%` character).
No detection rules found.
No public exploits indexed.
2026-02-26
Published