CVE-2026-27948 is a reflected cross-site scripting (XSS) vulnerability identified in copyparty, a portable file server software. The vulnerability exists in versions prior to 1.20.9 due to improper neutralization of user input in the URL parameter `?setck=...`. This flaw allows an attacker to craft a malicious URL that, when visited by a user, causes the victim's browser to execute arbitrary JavaScript code within the context of the copyparty web interface. The vulnerability is classified under CWE-79, which pertains to improper input sanitization during web page generation. The attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R) such as clicking a malicious link. The scope is unchanged (S:U), and the impact affects confidentiality and integrity to a limited degree (C:L/I:L) without affecting availability (A:N). The CVSS v3.1 base score is 5.4, reflecting medium severity. The vulnerability was publicly disclosed on February 26, 2026, and fixed in copyparty version 1.20.9. No known exploits are reported in the wild as of now, but the vulnerability remains a risk for users running older versions. The flaw could be leveraged for session hijacking, theft of sensitive data accessible via the web interface, or manipulation of user interactions within the copyparty environment.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within the copyparty web interface. An attacker exploiting this reflected XSS can execute arbitrary scripts in the victim's browser, potentially stealing session cookies, performing actions on behalf of the user, or redirecting users to malicious sites. While availability is not affected, the breach of confidentiality and integrity can lead to unauthorized data access or manipulation. Organizations using copyparty for file sharing may face data leakage or unauthorized access risks, especially if users are tricked into clicking malicious links. The ease of exploitation (no privileges required, network accessible) combined with user interaction means phishing or social engineering could facilitate attacks. Although no exploits are currently known in the wild, the vulnerability poses a moderate risk until patched. The impact is more pronounced in environments where sensitive or regulated data is shared via copyparty.

To mitigate this vulnerability, organizations should immediately upgrade copyparty to version 1.20.9 or later, where the issue is resolved. Until upgrading, administrators should consider restricting access to the copyparty web interface to trusted networks or VPNs to reduce exposure. Implementing web application firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting the `?setck` parameter can provide temporary protection. Educate users about the risks of clicking unsolicited or suspicious links, especially those pointing to copyparty servers. Review and harden copyparty configuration to minimize unnecessary exposure of the web interface. Regularly monitor logs for unusual URL requests or patterns indicative of XSS attempts. Finally, incorporate input validation and output encoding best practices in any custom modifications or integrations with copyparty to prevent similar issues.