CVE-2026-32108

Name of the Vulnerable Software and Affected Versions Copyparty versions prior to 1.20.12

Description Copyparty is a portable file server. Prior to version 1.20.12, a missing permission-check existed in the shares feature, specifically with the shr global-option. This issue only applies when the shares feature is used to create a share of a single file within a folder, or when the FTP or SFTP server is enabled and publicly accessible. Under these conditions, a user browsing a share via FTP or SFTP (not HTTP or HTTPS) could gain read access to other files in the shared folder by guessing or bruteforcing filenames. Access was limited to sibling files; descending into subdirectories was not possible. The issue is similar to a previously addressed problem for HTTP and HTTPS, but was not initially fixed for FTP. The FTPS server did not exist at the time of the initial fix. The vulnerable parameter is shr.

Recommendations Versions prior to 1.20.12 should be updated to version 1.20.12 or later.