Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at /?ru
, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a <script>
block without proper escaping, allowing for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users. This is fixed in version 1.18.7.