SecuriTricks - CVE-2025-54589

Description

Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at `/?ru`, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a `<script>` block without proper escaping, allowing for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users. This is fixed in version 1.18.7.

Product(s) Impacted

Vendor	Product	Versions
Copyparty	Copyparty	<1.18.7, 1.18.7

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	copyparty	copyparty	<1.18.7	/	/	/	/	/	/	/
a	copyparty	copyparty	1.18.7	/	/	/	/	/	/	/

References

https://github.com/9001/copyparty/commit/a8705e611d05eeb22be5d3d7d9ab5c020fe54c62

https://github.com/9001/copyparty/releases/tag/v1.18.7

https://github.com/9001/copyparty/security/advisories/GHSA-8mx2-rjh8-q3jq

CVSS Score

6.3 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

View Vector String

Timeline

Published: July 31, 2025, 2:15 p.m.
Last Modified: July 31, 2025, 6:42 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-54589