CVE-2026-30974

Name of the Vulnerable Software and Affected Versions Copyparty versions prior to 1.20.11

Description Copyparty’s nohtml configuration option, designed to block JavaScript execution in uploaded HTML files, did not extend to SVG images. A user with write access could upload an SVG file containing embedded JavaScript. When opened by another user, this JavaScript would execute within their context. This could allow a malicious actor to move, delete, or upload files using the account of the user opening the SVG. The nohtml option correctly prevented JavaScript execution in HTML files but failed to account for SVG images.

Recommendations Update to version 1.20.11 or later.