CVE-2026-27948 MEDIUM

CVE-2026-27948: Copyparty vulnerable to eflected cross-site scripting via setck parameter

Vendor 9001
Product copyparty
Weakness CWE-79 · XSS
Published February 26, 2026
Last update February 26, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue.

Key dates

02Disclosure timeline

February 26, 2026 CVE published
February 26, 2026 Record updated