CVE-2026-30974
published 2026-03-10CVE-2026-30974: Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did…
PriorityP431medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.32%
24.0th percentile
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 9001 | copyparty | < 1.20.11 | 1.20.11 |
| 9001 | copyparty | >= 0 < 1.20.11 | 1.20.11 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
copyparty: volflag `nohtml` did not block javascript in svg files
ghsa·2026-03-10
CVE-2026-30974 [MEDIUM] CWE-79 copyparty: volflag `nohtml` did not block javascript in svg files
copyparty: volflag `nohtml` did not block javascript in svg files
### Summary
The `nohtml` config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images.
### Details
A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it.
This in itself is not a vulnerability; it is intended behavior according to [the SVG spec](https://www.w3.org/TR/SVG11/script.html). The vulnerability is that the `nohtml` volflag, when enabled, did not prevent this.
`nohtml`, intended for use on volumes which contains untrusted files, would correctly prevent execution of javascript in HTML files, but did not consider SVG images. This has been fixed in v1.20.11.
### Impact
The
OSV
copyparty: volflag `nohtml` did not block javascript in svg files
osv·2026-03-10
CVE-2026-30974 [MEDIUM] copyparty: volflag `nohtml` did not block javascript in svg files
copyparty: volflag `nohtml` did not block javascript in svg files
### Summary
The `nohtml` config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images.
### Details
A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it.
This in itself is not a vulnerability; it is intended behavior according to [the SVG spec](https://www.w3.org/TR/SVG11/script.html). The vulnerability is that the `nohtml` volflag, when enabled, did not prevent this.
`nohtml`, intended for use on volumes which contains untrusted files, would correctly prevent execution of javascript in HTML files, but did not consider SVG images. This has been fixed in v1.20.11.
### Impact
The
No detection rules found.
No public exploits indexed.
2026-03-10
Published