CVE-2026-30974 Overview
CVE-2026-30974 is a Cross-Site Scripting (XSS) vulnerability in Copyparty, a portable file server application. Prior to version v1.20.11, the nohtml configuration option, which was intended to prevent execution of JavaScript in user-uploaded HTML files, did not properly apply to SVG images. This oversight allows a user with write-permission to upload an SVG file containing embedded JavaScript, which would then execute in the browser context of any user who opens the malicious file.
Critical Impact
Authenticated attackers with write permissions can achieve stored XSS by uploading malicious SVG files, potentially leading to session hijacking, credential theft, or further compromise of users who view the uploaded content.
Affected Products
- Copyparty versions prior to v1.20.11
- Copyparty file server deployments with write permissions enabled for users
- Environments where the nohtml configuration was relied upon for XSS protection
Discovery Timeline
- 2026-03-10 - CVE-2026-30974 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30974
Vulnerability Analysis
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in how Copyparty handles SVG file uploads in relation to its nohtml security configuration.
SVG (Scalable Vector Graphics) files are XML-based image formats that can contain embedded JavaScript code within <script> tags or event handlers. While Copyparty's nohtml option was designed to neutralize JavaScript execution in HTML files, the same sanitization logic was not applied to SVG uploads. This creates an attack surface where authenticated users with write permissions can bypass the intended security controls.
The vulnerability requires user interaction (the victim must open the malicious SVG file) and low-privileged access (write permission to upload files). When exploited, the attacker's JavaScript executes within the victim's browser session, potentially enabling session token theft, unauthorized actions on behalf of the victim, or phishing attacks.
Root Cause
The root cause of this vulnerability stems from incomplete input validation in the file upload handling mechanism. The nohtml configuration parameter was implemented to sanitize HTML files but failed to account for SVG files, which are a valid vector for JavaScript execution in modern browsers. The security control treated SVG images as safe static content rather than potentially executable documents.
Attack Vector
The attack requires network access and a low-privileged authenticated account with write permissions to the Copyparty file server. The attacker uploads a specially crafted SVG file containing malicious JavaScript. When another user (including administrators) views or opens this SVG file through their browser, the embedded script executes in their browser context, potentially compromising their session or credentials.
The fix implemented in v1.20.11 addresses this by adding the X-Content-Type-Options: nosniff header to prevent MIME-type sniffing attacks and properly handling SVG files within the nohtml context:
oh = "X-Content-Type-Options: nosniff\r\n"
if self.args.http_vary:
oh += "Vary: %s\r\n" % (self.args.http_vary,)
self._vf0b = {
"oh_g": oh + "\r\n",
"oh_f": oh + "\r\n",
"cachectl": self.args.cachectl,
"tcolor": self.args.tcolor,
"du_iwho": self.args.du_iwho,
Source: GitHub Commit
Detection Methods for CVE-2026-30974
Indicators of Compromise
- Presence of SVG files containing <script> tags or JavaScript event handlers (e.g., onload, onclick) in upload directories
- Suspicious SVG uploads from users who typically do not upload image content
- Web server logs showing requests for SVG files followed by unusual user activity or session anomalies
- Browser-side security tool alerts triggered when opening SVG files from the Copyparty server
Detection Strategies
- Implement file content scanning on upload to detect SVG files containing JavaScript elements such as <script>, <handler>, or inline event attributes
- Monitor web application firewall (WAF) logs for requests serving SVG content with suspicious embedded code patterns
- Deploy endpoint detection to identify browser-based script execution originating from uploaded file contexts
- Review server access logs for patterns of SVG file uploads followed by multiple users accessing the same file
Monitoring Recommendations
- Enable verbose logging for file upload operations in Copyparty to track SVG uploads with metadata about the uploading user
- Configure security information and event management (SIEM) rules to alert on SVG file uploads containing potential script content
- Implement browser Content Security Policy (CSP) headers to restrict script execution from uploaded content directories
- Regularly audit uploaded files for potential malicious content using automated scanning tools
How to Mitigate CVE-2026-30974
Immediate Actions Required
- Upgrade Copyparty to version v1.20.11 or later immediately to remediate this vulnerability
- Audit existing uploaded SVG files for embedded JavaScript content and remove or quarantine suspicious files
- Review user accounts with write permissions and apply the principle of least privilege
- Consider temporarily restricting SVG file uploads until the patch is applied
Patch Information
The vulnerability has been fixed in Copyparty version v1.20.11. The patch adds proper X-Content-Type-Options: nosniff headers and extends the nohtml configuration to properly handle SVG files. Detailed information is available in the GitHub Security Advisory GHSA-m6hv-x64c-27mm and the release notes for v1.20.11.
Workarounds
- Disable SVG file uploads entirely by configuring file type restrictions until the patch can be applied
- Implement a reverse proxy or WAF rule to strip or block SVG files containing script elements
- Configure Content-Disposition headers to force SVG downloads rather than inline rendering
- Restrict write permissions to trusted users only during the vulnerability window
# Example: Configure nginx to force download of SVG files (temporary workaround)
location ~* \.svg$ {
add_header Content-Disposition "attachment";
add_header X-Content-Type-Options "nosniff";
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
