CVE-2026-27948: Copyparty XSS Vulnerability

CVE-2026-27948 Overview

CVE-2026-27948 is a reflected cross-site scripting (XSS) vulnerability affecting Copyparty, a portable file server application. The vulnerability exists in versions prior to 1.20.9 and allows attackers to execute malicious scripts in the context of a victim's browser session through the ?setck=... URL parameter. This parameter lacks proper input sanitization, enabling injection of arbitrary JavaScript code that executes when a victim clicks a crafted link.

Critical Impact
Attackers can steal session cookies, perform actions on behalf of authenticated users, redirect victims to malicious sites, or deface the web interface by exploiting the unsanitized setck parameter.

Affected Products

Copyparty versions prior to 1.20.9
Web-based file server deployments using vulnerable Copyparty instances
Self-hosted Copyparty installations exposed to the network

Discovery Timeline

2026-02-26 - CVE CVE-2026-27948 published to NVD
2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-27948

Vulnerability Analysis

This reflected XSS vulnerability (CWE-79) stems from insufficient input validation in Copyparty's cookie-handling functionality. The setck URL parameter accepts user-supplied input that is reflected back into the HTTP response without proper sanitization. An attacker can craft a malicious URL containing JavaScript payloads in the setck parameter. When a victim navigates to this URL, the malicious script executes within the victim's browser session, potentially compromising sensitive data or performing unauthorized actions.

The attack is network-accessible and requires user interaction (clicking a malicious link), but does not require authentication. The vulnerability impacts confidentiality and integrity of user sessions, though availability is not affected.

Root Cause

The root cause is missing input validation on the setck URL parameter in httpcli.py. Prior to the fix, the application did not restrict or sanitize characters that could be used for XSS payloads. The fix introduces a regular expression RE_SETCK = re.compile(r"[^0-9a-z=]") that whitelist-filters input to only allow alphanumeric characters and the equals sign, effectively blocking script injection attempts.

Attack Vector

The attack vector is network-based reflected XSS. An attacker crafts a URL containing malicious JavaScript in the setck parameter and distributes it via phishing emails, social engineering, or by embedding it on malicious websites. When a victim with an active Copyparty session clicks the link, the script executes in their browser context, potentially:

Stealing session cookies and authentication tokens
Performing file operations on behalf of the victim
Exfiltrating sensitive files accessible through the file server
Redirecting users to credential harvesting pages

python

# Security patch introducing input validation regex
# Source: https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc

 RE_HR = re.compile(r"[<>\"'&]")
 RE_MDV = re.compile(r"(.*).([0-9]+.[0-9]{3})(\.[Mm][Dd])$")
 RE_RSS_KW = re.compile(r"(\{[^} ]+\})")
+RE_SETCK = re.compile(r"[^0-9a-z=]")

 UPARAM_CC_OK = set("doc move tree".split())

The patch in util.py also restricts cookie value handling:

python

# Additional patch in util.py limiting cookie value length for non-cppw cookies
# Source: https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc

     return [top] + ok, ng


-def unescape_cookie(orig: str) -> str:
+def unescape_cookie(orig: str, name: str) -> str:
     # mw=idk; doot=qwe%2Crty%3Basd+fgh%2Bjkl%25zxc&vbn  # qwe,rty;asd fgh+jkl%zxc&vbn
+    if not name.startswith("cppw"):
+        orig = orig[:3]
     ret = []
     esc = ""
     for ch in orig:

Detection Methods for CVE-2026-27948

Indicators of Compromise

HTTP requests containing suspicious JavaScript payloads in the setck URL parameter
Requests with encoded script tags (%3Cscript%3E) or event handlers (onerror, onload) in query strings
Unusual cookie-setting behavior with non-alphanumeric characters in cookie values
Access logs showing URLs with setck= followed by HTML or JavaScript content

Detection Strategies

Implement web application firewall (WAF) rules to detect and block XSS patterns in the setck parameter
Monitor HTTP access logs for requests containing setck= with encoded special characters
Deploy browser-based XSS detection tools that can identify reflected script execution
Review Content Security Policy (CSP) violation reports for inline script execution attempts

Monitoring Recommendations

Configure SIEM alerts for HTTP requests containing common XSS payloads targeting Copyparty endpoints
Enable verbose logging on Copyparty instances to capture full request URLs
Monitor for unusual patterns of session cookie access or token exfiltration
Implement real-time log analysis for the setck parameter with non-alphanumeric content

How to Mitigate CVE-2026-27948

Immediate Actions Required

Upgrade Copyparty to version 1.20.9 or later immediately
Review access logs for evidence of exploitation attempts targeting the setck parameter
Implement Content Security Policy (CSP) headers to mitigate XSS impact
Consider temporarily disabling external access to Copyparty instances until patched

Patch Information

The vulnerability is fixed in Copyparty version 1.20.9. The patch introduces strict input validation using the RE_SETCK regex pattern that only permits alphanumeric characters and equals signs in the setck parameter. Additionally, the unescape_cookie function now truncates non-password cookie values to 3 characters, limiting the attack surface. The fix is available in commit 31b2801fd041f803f4a3d5c12c7d7cb5419048bc. Refer to the GitHub Security Advisory GHSA-62cr-6wp5-q43h for additional details.

Workarounds

Deploy a reverse proxy or WAF in front of Copyparty to filter malicious setck parameter values
Implement Content Security Policy headers with script-src 'self' to prevent inline script execution
Restrict network access to Copyparty instances using firewall rules or VPN requirements
Consider URL parameter filtering at the network edge to block known XSS patterns

bash

# Example nginx configuration to block suspicious setck values
location / {
    # Block requests with potential XSS in setck parameter
    if ($arg_setck ~* "[<>\"'&(){}]|script|onerror|onload") {
        return 403;
    }
    
    # Add Content Security Policy header
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
    
    proxy_pass http://copyparty_backend;
}

CVE-2026-27948 Overview

Critical Impact
Attackers can steal session cookies, perform actions on behalf of authenticated users, redirect victims to malicious sites, or deface the web interface by exploiting the unsanitized setck parameter.

Affected Products

Copyparty versions prior to 1.20.9
Web-based file server deployments using vulnerable Copyparty instances
Self-hosted Copyparty installations exposed to the network

Discovery Timeline

2026-02-26 - CVE CVE-2026-27948 published to NVD
2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-27948

Vulnerability Analysis

Root Cause

Attack Vector

Stealing session cookies and authentication tokens
Performing file operations on behalf of the victim
Exfiltrating sensitive files accessible through the file server
Redirecting users to credential harvesting pages

python

# Security patch introducing input validation regex
# Source: https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc

 RE_HR = re.compile(r"[<>\"'&]")
 RE_MDV = re.compile(r"(.*).([0-9]+.[0-9]{3})(\.[Mm][Dd])$")
 RE_RSS_KW = re.compile(r"(\{[^} ]+\})")
+RE_SETCK = re.compile(r"[^0-9a-z=]")

 UPARAM_CC_OK = set("doc move tree".split())

The patch in util.py also restricts cookie value handling:

python

# Additional patch in util.py limiting cookie value length for non-cppw cookies
# Source: https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc

     return [top] + ok, ng


-def unescape_cookie(orig: str) -> str:
+def unescape_cookie(orig: str, name: str) -> str:
     # mw=idk; doot=qwe%2Crty%3Basd+fgh%2Bjkl%25zxc&vbn  # qwe,rty;asd fgh+jkl%zxc&vbn
+    if not name.startswith("cppw"):
+        orig = orig[:3]
     ret = []
     esc = ""
     for ch in orig:

Detection Methods for CVE-2026-27948

Indicators of Compromise

HTTP requests containing suspicious JavaScript payloads in the setck URL parameter
Requests with encoded script tags (%3Cscript%3E) or event handlers (onerror, onload) in query strings
Unusual cookie-setting behavior with non-alphanumeric characters in cookie values
Access logs showing URLs with setck= followed by HTML or JavaScript content

Detection Strategies

Implement web application firewall (WAF) rules to detect and block XSS patterns in the setck parameter
Monitor HTTP access logs for requests containing setck= with encoded special characters
Deploy browser-based XSS detection tools that can identify reflected script execution
Review Content Security Policy (CSP) violation reports for inline script execution attempts

Monitoring Recommendations

Configure SIEM alerts for HTTP requests containing common XSS payloads targeting Copyparty endpoints
Enable verbose logging on Copyparty instances to capture full request URLs
Monitor for unusual patterns of session cookie access or token exfiltration
Implement real-time log analysis for the setck parameter with non-alphanumeric content

How to Mitigate CVE-2026-27948

Immediate Actions Required

Upgrade Copyparty to version 1.20.9 or later immediately
Review access logs for evidence of exploitation attempts targeting the setck parameter
Implement Content Security Policy (CSP) headers to mitigate XSS impact
Consider temporarily disabling external access to Copyparty instances until patched

Patch Information

Workarounds

Deploy a reverse proxy or WAF in front of Copyparty to filter malicious setck parameter values
Implement Content Security Policy headers with script-src 'self' to prevent inline script execution
Restrict network access to Copyparty instances using firewall rules or VPN requirements
Consider URL parameter filtering at the network edge to block known XSS patterns

bash

# Example nginx configuration to block suspicious setck values
location / {
    # Block requests with potential XSS in setck parameter
    if ($arg_setck ~* "[<>\"'&(){}]|script|onerror|onload") {
        return 403;
    }
    
    # Add Content Security Policy header
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
    
    proxy_pass http://copyparty_backend;
}

CVE-2026-27948: Copyparty XSS Vulnerability

CVE-2026-27948 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-27948

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-27948

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-27948

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-27948: Copyparty XSS Vulnerability

CVE-2026-27948 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-27948

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-27948

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-27948

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform