What is CVE-2026-30974?

CVE-2026-30974 is a medium-severity vulnerability in 9001 Copyparty, classified under Cross-site Scripting. CVSS score: 4.6/10. Published 2026-03-10.

How severe is CVE-2026-30974?

Medium severity. CVSS v3 base score is 4.6 out of 10.

XSS in 9001 Copyparty

CVE-2026-30974

Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG conta…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (13.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.6 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.

Affected products

9001 Copyparty — versions < 1.20.11

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm (x_refsource_CONFIRM)
https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5 (x_refsource_MISC)
https://github.com/9001/copyparty/releases/tag/v1.20.11 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-30974?: CVE-2026-30974 is a medium-severity vulnerability in 9001 Copyparty, classified under Cross-site Scripting. CVSS score: 4.6/10. Published 2026-03-10.
How severe is CVE-2026-30974?: Medium severity. CVSS v3 base score is 4.6 out of 10.