CVE-2026-30974 MEDIUM

CVE-2026-30974: Copyparty volflag `nohtml` did not block javascript in svg files

Vendor 9001

Product copyparty

Weakness CWE-79 · XSS

Published March 10, 2026

Last update March 11, 2026

View on NVD All CVEs

CVSS base score

4.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

Description

Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.

Key dates

Disclosure timeline

March 10, 2026 CVE published

March 11, 2026 Record updated