Moderate severityNVD Advisory· Published Feb 26, 2026· Updated Feb 26, 2026

Copyparty vulnerable to eflected cross-site scripting via setck parameter

CVE-2026-27948

Description

Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter ?setck=.... Version 1.20.9 fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
copypartyPyPI	< 1.20.9	1.20.9

Affected products

9001/Copypartyv5
Range: < 1.20.9

Patches

31b2801fd041

fix GHSA-62cr-6wp5-q43h: setck xss

https://github.com/9001/copypartyedFeb 25, 2026via ghsa

commit

2 files changed · +9 −3

copyparty/httpcli.py+6 −2 modified

@@ -178,6 +178,7 @@
 RE_HR = re.compile(r"[<>\"'&]")
 RE_MDV = re.compile(r"(.*)\.([0-9]+\.[0-9]{3})(\.[Mm][Dd])$")
 RE_RSS_KW = re.compile(r"(\{[^} ]+\})")
+RE_SETCK = re.compile(r"[^0-9a-z=]")
 
 UPARAM_CC_OK = set("doc move tree".split())
 
@@ -650,7 +651,7 @@ def run(self) -> bool:
                 self.loud_reply("cookie header too big", status=400)
                 return False
             zsll = [x.split("=", 1) for x in zso.split(";") if "=" in x]
-            cookies = {k.strip(): unescape_cookie(zs) for k, zs in zsll}
+            cookies = {k.strip(): unescape_cookie(zs, k) for k, zs in zsll}
             cookie_pw = cookies.get("cppws" if self.is_https else "cppwd") or ""
             if "b" in cookies and "b" not in uparam:
                 uparam["b"] = cookies["b"]
@@ -5628,7 +5629,10 @@ def tx_mounts(self) -> bool:
         return True
 
     def setck(self) -> bool:
-        k, v = self.uparam["setck"].split("=", 1)
+        zs = self.uparam["setck"]
+        if len(zs) > 9 or RE_SETCK.search(zs):
+            raise Pebkac(400, "illegal value")
+        k, v = zs.split("=")
         t = 0 if v in ("", "x") else 86400 * 299
         ck = gencookie(k, v, self.args.R, True, False, t)
         self.out_headerlist.append(("Set-Cookie", ck))

copyparty/util.py+3 −1 modified

@@ -3439,8 +3439,10 @@ def rmdirs_up(top: str, stop: str) -> tuple[list[str], list[str]]:
     return [top] + ok, ng
 
 
-def unescape_cookie(orig: str) -> str:
+def unescape_cookie(orig: str, name: str) -> str:
     # mw=idk; doot=qwe%2Crty%3Basd+fgh%2Bjkl%25zxc%26vbn  # qwe,rty;asd fgh+jkl%zxc&vbn
+    if not name.startswith("cppw"):
+        orig = orig[:3]
     ret = []
     esc = ""
     for ch in orig:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-62cr-6wp5-q43hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-27948ghsaADVISORY
github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bcghsax_refsource_MISCWEB
github.com/9001/copyparty/releases/tag/v1.20.9ghsaWEB
github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43hghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000