CVE-2026-32109 Overview
CVE-2026-32109 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Copyparty, a portable file server application. This vulnerability allows authenticated attackers with read and write permissions to upload a malicious .prologue.html file that can execute arbitrary JavaScript in a victim's browser context when they click a specially crafted link.
Critical Impact
Attackers can potentially execute arbitrary JavaScript in authenticated user sessions, leading to session hijacking, data theft, or malicious actions performed on behalf of victims.
Affected Products
- Copyparty versions prior to 1.20.12
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-32109 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32109
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Cross-Site Scripting), specifically a stored XSS variant that exploits how Copyparty handles .prologue.html files. The core issue lies in unexpected JavaScript execution behavior when accessing certain URL patterns.
Under normal intended behavior, JavaScript within a .prologue.html file would only execute when directly accessing the file (e.g., https://example.com/foo/.prologue.html). However, the vulnerability allows the same JavaScript to execute when accessing the directory with the ?b parameter (e.g., https://example.com/foo/?b), creating an unexpected attack surface.
Root Cause
The root cause of this vulnerability stems from improper handling of the .prologue.html file content when rendering directory listings with certain query parameters. The server fails to properly isolate or sanitize the prologue file content in alternative access paths, allowing the embedded JavaScript to execute outside its intended scope.
Attack Vector
The attack requires several preconditions to be successful:
- The attacker must have both read and write permissions on the target Copyparty server
- The attacker uploads a malicious .prologue.html file containing JavaScript payload to a directory
- The attacker crafts a link using the ?b query parameter that triggers unintended script execution
- The victim must click the crafted link
The vulnerability is partially mitigated by existing strict SameSite cookie policies, which require the malicious link to be clicked from a page served by the Copyparty server itself. This typically requires the attacker to have additional permissions to edit existing resources on the server.
For technical details on the exploitation mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-32109
Indicators of Compromise
- Presence of .prologue.html files in server directories containing suspicious JavaScript code
- User reports of unexpected JavaScript alerts or behavior when browsing directories
- Log entries showing access patterns to directories with ?b query parameters from external referrers
Detection Strategies
- Monitor file uploads for .prologue.html files and inspect their contents for malicious JavaScript patterns
- Implement web application firewall rules to detect and alert on XSS payload patterns in uploaded files
- Review access logs for unusual patterns of requests containing the ?b query parameter combined with external referrer headers
Monitoring Recommendations
- Configure alerting for any creation or modification of .prologue.html files across all Copyparty directories
- Enable detailed access logging to track user interactions with directory listings
- Implement Content Security Policy (CSP) headers where possible to restrict inline script execution
How to Mitigate CVE-2026-32109
Immediate Actions Required
- Upgrade Copyparty to version 1.20.12 or later immediately
- Audit existing .prologue.html files across all directories for any unauthorized or suspicious content
- Review user permissions and restrict write access to only trusted users who require it
- Consider temporarily removing or renaming existing .prologue.html files until the upgrade is complete
Patch Information
The vulnerability has been fixed in Copyparty version 1.20.12. The fix addresses the unintended JavaScript execution when accessing directories via the ?b query parameter. Users should update to this version or later to remediate the vulnerability.
For detailed patch information, see the GitHub Security Advisory.
Workarounds
- Restrict write permissions to trusted users only until the patch can be applied
- Implement file upload filters to block or quarantine .prologue.html files for review
- Deploy a reverse proxy with WAF capabilities to filter potentially malicious requests
- Educate users to avoid clicking links from untrusted sources when authenticated to Copyparty
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
