CVE-2026-30974 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the copyparty portable file server software prior to version 1.20.11. Copyparty includes a 'nohtml' configuration option intended to prevent execution of JavaScript embedded in user-uploaded HTML files, thereby mitigating XSS risks. However, this protection did not extend to SVG (Scalable Vector Graphics) images, which can contain embedded JavaScript. An attacker with write permissions on the server can upload a malicious SVG file containing JavaScript code. When another user accesses or opens this SVG file through the copyparty interface, the embedded script executes in their browser context, potentially allowing the attacker to steal session tokens, perform actions on behalf of the user, or manipulate displayed content. The vulnerability requires that the attacker has write permissions (which may be granted to authenticated users) and that the victim interacts with the malicious SVG file. The CVSS v3.1 base score is 4.6 (medium severity), reflecting network attack vector, low attack complexity, privileges required (write permission), and user interaction. The vulnerability affects confidentiality and integrity but does not impact availability. This issue was addressed in copyparty version 1.20.11 by extending the 'nohtml' option protections to SVG files, effectively neutralizing embedded JavaScript execution. No known exploits are reported in the wild at this time.

The primary impact of this vulnerability is on the confidentiality and integrity of user sessions and data accessed via the copyparty file server. An attacker who can upload malicious SVG files can execute arbitrary JavaScript in the context of other users who open these files, potentially stealing authentication tokens, cookies, or other sensitive information. This could lead to unauthorized actions performed on behalf of victims, data leakage, or manipulation of the user interface. Since exploitation requires write permissions and user interaction, the risk is limited to environments where multiple users have upload rights and access to the same files. Availability is not affected. Organizations using copyparty in shared or multi-user environments, especially where user permissions are not tightly controlled, face increased risk. The medium CVSS score indicates moderate risk but should not be underestimated in sensitive deployments.

1. Upgrade copyparty to version 1.20.11 or later, where the vulnerability is fixed by applying the 'nohtml' option to SVG files. 2. Restrict write permissions strictly to trusted users to reduce the risk of malicious SVG uploads. 3. Implement file upload validation to block or sanitize SVG files containing scripts before they are accepted. 4. Educate users to be cautious when opening SVG files from untrusted sources within the file server environment. 5. Consider disabling SVG file support if not required. 6. Monitor server logs for unusual upload activity or access patterns to detect potential exploitation attempts. 7. Employ Content Security Policy (CSP) headers if possible to restrict script execution contexts in browsers accessing the copyparty server. 8. Regularly audit user permissions and uploaded content for suspicious files.