CVE-2026-30974 is a cross-site scripting vulnerability classified under CWE-79 affecting the copyparty portable file server software prior to version 1.20.11. Copyparty includes a 'nohtml' configuration option intended to prevent execution of JavaScript embedded in user-uploaded HTML files, thereby mitigating XSS risks. However, this protection did not extend to SVG (Scalable Vector Graphics) files, which can contain embedded JavaScript. An attacker with write permissions on the server can upload a crafted SVG file containing malicious JavaScript code. When another user accesses or opens this SVG file via the copyparty interface, the embedded script executes in the context of the victim's browser session. This can lead to unauthorized actions such as session hijacking, data theft, or manipulation of the user interface. The vulnerability requires the attacker to have authenticated write access and relies on user interaction to open the malicious SVG, limiting the attack surface. The flaw was addressed in copyparty version 1.20.11 by extending the 'nohtml' protection to SVG files, effectively neutralizing embedded scripts. No known exploits are reported in the wild as of the publication date. The CVSS v3.1 base score is 4.6 (medium severity), reflecting the limited scope and required conditions for exploitation.

The primary impact of this vulnerability is the potential execution of malicious JavaScript in the context of users accessing SVG files on vulnerable copyparty servers. This can compromise confidentiality by enabling theft of session tokens or sensitive data accessible in the browser context. Integrity may be affected if the attacker can manipulate the user interface or perform unauthorized actions on behalf of the victim. Availability is not impacted. Since exploitation requires authenticated write access, the threat is limited to environments where users have upload permissions, such as collaborative file sharing setups. Organizations using copyparty to share sensitive files risk exposure of user credentials or unauthorized actions if the vulnerability is exploited. The lack of known active exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks. Failure to patch may lead to lateral movement or privilege escalation in environments where copyparty is integrated with other systems.

1. Upgrade copyparty installations to version 1.20.11 or later, which includes the fix extending 'nohtml' protections to SVG files. 2. Restrict write/upload permissions strictly to trusted and authenticated users to reduce the risk of malicious file uploads. 3. Implement server-side file validation and sanitization to detect and block SVG files containing embedded scripts before they are accepted. 4. Educate users to be cautious when opening SVG files from untrusted sources, even within internal environments. 5. Monitor server logs for unusual upload activity or access patterns indicative of exploitation attempts. 6. Consider deploying Content Security Policy (CSP) headers that restrict script execution contexts to mitigate impact if malicious scripts are served. 7. Regularly audit and review copyparty configurations to ensure security options like 'nohtml' are properly enabled and effective. 8. If possible, isolate copyparty servers in segmented network zones to limit potential lateral movement from compromised accounts.