CVE-2026-32109 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting copyparty, a portable file server, in versions prior to 1.20.12. The flaw occurs because the server improperly neutralizes input during web page generation, specifically when handling a file named .prologue.html. An attacker with both read and write permissions can upload this specially named HTML file containing malicious JavaScript. The vulnerability is triggered when a user accesses a URL with a query string appended to the path containing .prologue.html (e.g., https://example.com/foo/?b), causing the server to evaluate and execute the JavaScript within the .prologue.html file unexpectedly. Normally, JavaScript execution is expected only when directly accessing the .prologue.html file itself. The attack vector requires the attacker to have write access to upload or modify resources on the server and the victim to click a crafted link. The presence of strict SameSite cookie attributes mitigates the risk of session hijacking by limiting cross-site request forgery. The vulnerability does not activate during normal navigation of the copyparty web UI, reducing the likelihood of accidental exploitation. No known exploits have been reported in the wild. The issue was addressed and fixed in version 1.20.12 of copyparty.

The primary impact of this vulnerability is the potential execution of arbitrary JavaScript in the context of the victim's browser session when interacting with the copyparty server. This could lead to limited confidentiality and integrity impacts, such as theft of session tokens or manipulation of client-side data. However, exploitation requires the attacker to have both read and write permissions on the server, which limits the scope to users who already have elevated access. Additionally, the victim must actively click a crafted link, further reducing the risk. The vulnerability does not affect availability. Due to strict SameSite cookie policies, the risk of session hijacking is mitigated, making large-scale exploitation difficult. Organizations using copyparty servers with multiple users and shared permissions could face targeted attacks aiming to escalate privileges or steal session information. Overall, the impact is low but should not be ignored in environments where copyparty is used for sensitive file sharing.

To mitigate this vulnerability, organizations should upgrade copyparty to version 1.20.12 or later, where the issue is fixed. Until upgrading, administrators should restrict write permissions strictly to trusted users to prevent unauthorized upload or modification of .prologue.html files. Implement monitoring and alerting for the presence of suspicious files named .prologue.html or unusual query string access patterns on the server. Enforce strict content security policies (CSP) on the server to limit the execution of unauthorized scripts. Educate users to avoid clicking suspicious or unsolicited links, especially those containing query parameters that could trigger unexpected behavior. Consider isolating copyparty instances in segmented network zones to limit exposure. Regularly audit user permissions and review server logs for anomalous activity related to file uploads and URL access patterns. These steps will reduce the likelihood of exploitation and limit the potential damage if exploited.