CVE-2026-27948 is a reflected cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the copyparty portable file server software in versions prior to 1.20.9. The flaw occurs due to improper neutralization of user-supplied input in the URL parameter `?setck=...` during web page generation. This allows an attacker to craft a malicious URL that, when visited by a user, causes the server to reflect and execute arbitrary JavaScript code in the victim’s browser context. The vulnerability does not require authentication but does require user interaction, such as clicking a malicious link. The impact includes potential theft of sensitive information like session cookies, manipulation of web page content, or redirection to malicious sites, affecting confidentiality and integrity but not availability. The CVSS 3.1 base score is 5.4, reflecting medium severity with network attack vector, low attack complexity, no privileges required, and user interaction needed. The issue was addressed in copyparty version 1.20.9, which properly sanitizes the `setck` parameter to prevent script injection. No public exploits have been reported, but the vulnerability remains a risk for unpatched deployments. Given copyparty’s use as a portable file server, the vulnerability could be leveraged to target users accessing the server’s web interface, potentially leading to session hijacking or phishing attacks.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with vulnerable copyparty servers. Attackers can execute arbitrary scripts in the context of the victim’s browser, potentially stealing session cookies, credentials, or other sensitive data accessible via the web interface. This can lead to unauthorized access or impersonation within the file server environment. While availability is not affected, the trustworthiness of the server and its data can be compromised. Organizations relying on copyparty for file sharing or hosting may face data leakage or user account compromise if the vulnerability is exploited. The requirement for user interaction limits mass exploitation but targeted phishing or social engineering attacks could be effective. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure. The vulnerability could also be used as a stepping stone for more complex attacks within a compromised network environment.

To mitigate this vulnerability, organizations should immediately upgrade copyparty to version 1.20.9 or later, where the XSS issue has been fixed by proper input sanitization of the `setck` URL parameter. In addition, administrators should implement web application firewalls (WAFs) with rules to detect and block reflected XSS attack patterns targeting the copyparty interface. Educating users to avoid clicking suspicious or unsolicited links related to the file server can reduce the risk of exploitation. Employing Content Security Policy (CSP) headers can help limit the impact of any injected scripts by restricting script execution sources. Regularly auditing and monitoring web server logs for unusual URL parameters or repeated access attempts can help detect exploitation attempts. Finally, consider isolating the copyparty server within a segmented network zone to limit potential lateral movement if an attacker gains access through XSS exploitation.