cbcvebase.
CVE-2026-30974
published 2026-03-10

CVE-2026-30974: Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did…

PriorityP431medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.32%
24.0th percentile
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.

Affected

2 ranges
VendorProductVersion rangeFixed in
9001copyparty< 1.20.111.20.11
9001copyparty>= 0 < 1.20.111.20.11
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.