Moderate severityNVD Advisory· Published Jul 31, 2025· Updated Jul 31, 2025
copyparty Reflected XSS via Filter Parameter
CVE-2025-54589
Description
Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at /?ru, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a `` block without proper escaping, allowing for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users. This is fixed in version 1.18.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
copypartyPyPI | < 1.18.7 | 1.18.7 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-8mx2-rjh8-q3jqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54589ghsaADVISORY
- github.com/9001/copyparty/commit/a8705e611d05eeb22be5d3d7d9ab5c020fe54c62ghsax_refsource_MISCWEB
- github.com/9001/copyparty/releases/tag/v1.18.7ghsax_refsource_MISCWEB
- github.com/9001/copyparty/security/advisories/GHSA-8mx2-rjh8-q3jqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.