CVE-2026-32109

Name of the Vulnerable Software and Affected Versions Copyparty versions prior to 1.20.12

Description Copyparty is a portable file server. If an attacker has both read and write permissions, they can upload a malicious file named .prologue.html. They can then create a link that could execute arbitrary JavaScript in a victim's context. While JavaScript execution is expected when clicking a direct link to the HTML file (e.g., 'https://example.com/foo/.prologue.html'), the issue arises because a link like 'https://example.com/foo/?b' also evaluates the file, leading to unexpected behavior. Existing preventative measures, such as strict SameSite cookies, make exploitation more difficult, requiring the target to click the link from a page served by the server itself, potentially through editing an existing resource. Successful exploitation requires the target to click a specifically crafted link provided by the attacker. The issue is not triggered by normal web UI browsing. If successful, the malicious JavaScript could move or delete existing files on the server, or upload new files, using the account of the person who opens the link.

Recommendations Versions prior to 1.20.12 should be updated to version 1.20.12 or later.