Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at `/?ru`, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a `<script>` block without proper escaping, allowing for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users. This is fixed in version 1.18.7.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| copyparty(PyPI) | 0 | 1.18.7 | N/A |
CVSS Metrics
