CVE-2026-27948
Copyparty vulnerable to reflected XSS via setck parameter
Description
### Summary An XSS allows for reflected cross-site scripting via URL-parameter `?setck=...` ### Details A reflected cross-site scripting (XSS) vulnerability could allow an attacker to execute malicious javascript by tricking users into accessing a malicious link. The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link. ### Indicators of Compromise All attempted attacks (successful or not) would be logged to both the copyparty serverlog and the accesslog of the reverseproxy, and are detected by `grep -E '[?&]setck=[^&"]*%'` (the text `setck=` eventually followed by the `%` character).
How to fix CVE-2026-27948
To remediate CVE-2026-27948, upgrade the affected package to a fixed version below.
- —upgrade to 1.20.9 or later
Is CVE-2026-27948 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.20.9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |