CVE-2025-27145

Name of the Vulnerable Software and Affected Versions copyparty versions prior to 1.16.15

Description The issue is a DOM-based cross-site scripting vulnerability. It can be triggered by handing someone a maliciously-named file and then tricking them into dragging the file into copyparty's Web-UI. This could allow an attacker to execute arbitrary javascript with the same privileges as that user, potentially giving unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself and requires an empty (zero bytes) file.

Recommendations For versions prior to 1.16.15, update to version 1.16.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the Web-UI or avoiding the use of drag-and-drop functionality with untrusted files.