GHSA-62cr-6wp5-q43h

Source

https://github.com/advisories/GHSA-62cr-6wp5-q43h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-62cr-6wp5-q43h/GHSA-62cr-6wp5-q43h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-62cr-6wp5-q43h

Aliases

CVE-2026-27948

Published

2026-02-26T22:33:46Z

Modified

2026-02-26T23:24:25.115496Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Copyparty vulnerable to reflected XSS via setck parameter

Details

Summary

An XSS allows for reflected cross-site scripting via URL-parameter ?setck=...

Details

A reflected cross-site scripting (XSS) vulnerability could allow an attacker to execute malicious javascript by tricking users into accessing a malicious link.

The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link.

Indicators of Compromise

All attempted attacks (successful or not) would be logged to both the copyparty serverlog and the accesslog of the reverseproxy, and are detected by grep -E '[?&]setck=[^&"]*%' (the text setck= eventually followed by the % character).

Database specific

{
    "nvd_published_at": "2026-02-26T02:16:22Z",
    "github_reviewed_at": "2026-02-26T22:33:46Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

PyPI / copyparty

Package

Name: copyparty; View open source insights on deps.dev
Purl: pkg:pypi/copyparty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.20.9

Affected versions

0.*

0.2.3

0.3.0

0.3.1

0.4.0

0.4.1

0.4.2

0.4.3

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.6.0

0.6.2

0.6.3

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.8.1

0.8.3

0.9.0

0.9.1

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.10

0.9.11

0.9.13

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.10.7

0.10.8

0.10.9

0.10.10

0.10.11

0.10.12

0.10.13

0.10.14

0.10.15

0.10.16

0.10.17

0.10.18

0.10.19

0.10.20

0.10.21

0.10.22

0.11.0

0.11.1

0.11.5

0.11.6

0.11.7

0.11.8

0.11.9

0.11.10

0.11.11

0.11.12

0.11.13

0.11.14

0.11.15

0.11.16

0.11.17

0.11.18

0.11.19

0.11.20

0.11.21

0.11.22

0.11.23

0.11.24

0.11.26

0.11.27

0.11.28

0.11.29

0.11.30

0.11.31

0.11.32

0.11.33

0.11.34

0.11.35

0.11.36

0.11.37

0.11.38

0.11.39

0.11.40

0.11.41

0.11.42

0.11.43

0.11.44

0.11.45

0.11.46

0.11.47

0.12.1

0.12.3

0.12.4

0.12.5

0.12.6

0.12.7

0.12.8

0.12.9

0.12.10

0.12.11

0.12.12

0.13.0

0.13.1

0.13.2

0.13.3

0.13.5

0.13.6

0.13.7

0.13.9

0.13.10

0.13.11

0.13.12

0.13.13

0.13.14

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.1.10

1.1.11

1.1.12

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.3.11

1.3.12

1.3.13

1.3.14

1.3.15

1.3.16

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

1.6.14

1.6.15

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.6

1.8.7

1.8.8

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

1.9.9

1.9.10

1.9.11

1.9.12

1.9.13

1.9.14

1.9.15

1.9.16

1.9.17

1.9.18

1.9.19

1.9.20

1.9.21

1.9.24

1.9.25

1.9.26

1.9.27

1.9.28

1.9.29

1.9.30

1.9.31

1.10.0

1.10.1

1.10.2

1.11.0

1.11.1

1.11.2

1.12.0

1.12.1

1.12.2

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4

1.13.5

1.13.6

1.13.7

1.13.8

1.14.0

1.14.1

1.14.2

1.14.3

1.14.4

1.15.0

1.15.1

1.15.2

1.15.3

1.15.4

1.15.5

1.15.6

1.15.7

1.15.8

1.15.9

1.15.10

1.16.0

1.16.1

1.16.2

1.16.3

1.16.4

1.16.5

1.16.6

1.16.7

1.16.8

1.16.9

1.16.10

1.16.11

1.16.12

1.16.13

1.16.14

1.16.15

1.16.16

1.16.17

1.16.18

1.16.19

1.16.20

1.16.21

1.17.0

1.17.1

1.17.2

1.18.0

1.18.1

1.18.2

1.18.3

1.18.4

1.18.5

1.18.6

1.18.7

1.18.8

1.18.9

1.18.10

1.19.0

1.19.1

1.19.2

1.19.3

1.19.4

1.19.5

1.19.6

1.19.7

1.19.8

1.19.9

1.19.10

1.19.11

1.19.12

1.19.13

1.19.14

1.19.15

1.19.16

1.19.17

1.19.18

1.19.19

1.19.20

1.19.21

1.19.22

1.19.23

1.20.0

1.20.1

1.20.2

1.20.3

1.20.4

1.20.5

1.20.6

1.20.7

1.20.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-62cr-6wp5-q43h/GHSA-62cr-6wp5-q43h.json"