CVE-2026-30974

Description

### Summary The `nohtml` config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. ### Details A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This in itself is not a vulnerability; it is intended behavior according to [the SVG spec](https://www.w3.org/TR/SVG11/script.html). The vulnerability is that the `nohtml` volflag, when enabled, did not prevent this. `nohtml`, intended for use on volumes which contains untrusted files, would correctly prevent execution of javascript in HTML files, but did not consider SVG images. This has been fixed in v1.20.11. ### Impact The malicious JavaScript could move or delete existing files on the server, or upload new files, using the account of the person who opens the SVG.

How to fix CVE-2026-30974

To remediate CVE-2026-30974, upgrade the affected package to a fixed version below.

• —upgrade to 1.20.11 or later

Is CVE-2026-30974 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.20.11

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-30974
• PATCHgithub.com/9001/copyparty
• WEBgithub.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5
• WEBgithub.com/9001/copyparty/releases/tag/v1.20.11