copyparty renders unsanitized filenames as HTML when user uploads empty files
A DOM-Based XSS was discovered in copyparty, a portable fileserver. The vulnerability is considered low-risk.
Advisories for Pypi/Copyparty package
2025
2023
copyparty vulnerable to reflected cross-site scripting via k304 parameter
The application contains a reflected cross-site scripting via URL-parameter ?k304=… and ?setck=…
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in copyparty.
copyparty vulnerable to path traversal attack
All versions before 1.8.2 have a path traversal vulnerability, allowing an attacker to download unintended files from the server.