CVE-2026-32109 is a cross-site scripting (CWE-79) vulnerability affecting copyparty, a portable file server, in versions before 1.20.12. The flaw allows an attacker who has both read and write permissions on the server to upload a malicious file named .prologue.html. This file contains arbitrary JavaScript code. The vulnerability stems from the server's behavior of evaluating the .prologue.html file not only when accessed directly via a URL like https://example.com/foo/.prologue.html but also when accessed with query parameters such as https://example.com/foo/?b. This unexpected evaluation leads to arbitrary script execution in the context of the victim's browser. However, exploitation requires the attacker to have write access to upload the malicious file and the victim to click a crafted link originating from the server itself, typically by editing an existing resource. The server employs strict SameSite cookie policies, which mitigate session hijacking risks by restricting cookie transmission in cross-site contexts. The vulnerability does not activate during normal navigation of the copyparty web UI, limiting accidental exposure. The CVSS v3.1 base score is 3.7, reflecting low severity due to the need for user interaction, limited privileges required, and partial mitigations. The issue was publicly disclosed on March 11, 2026, and fixed in copyparty version 1.20.12.

The primary impact of this vulnerability is the potential execution of arbitrary JavaScript in the context of a victim's browser session when interacting with a maliciously crafted link. This can lead to limited confidentiality and integrity impacts, such as theft of session tokens or manipulation of client-side data within the scope of the copyparty server. However, the attack requires the attacker to have both read and write permissions on the server, which already implies a level of trust or prior compromise. Additionally, the victim must click a crafted link served from the same server, reducing the likelihood of widespread exploitation. The strict SameSite cookie policy further reduces the risk of session hijacking. There is no impact on availability. Overall, the vulnerability poses a low risk to organizations but could be leveraged in targeted attacks where an insider or compromised user uploads malicious content and entices other users to click crafted links. Organizations using copyparty in multi-user environments with shared write permissions should be cautious.

1. Upgrade copyparty to version 1.20.12 or later, where this vulnerability is fixed. 2. Restrict write permissions strictly to trusted users to minimize the risk of malicious file uploads. 3. Implement monitoring and alerting for uploads of files with suspicious names such as .prologue.html or other HTML files that could contain scripts. 4. Educate users about the risks of clicking unexpected or suspicious links, especially those originating from the copyparty server itself. 5. Consider additional web server hardening, such as disabling execution of HTML files in upload directories or sanitizing filenames to prevent special file names that trigger script execution. 6. Review and enforce strict Content Security Policy (CSP) headers to limit the impact of any injected scripts. 7. Regularly audit user permissions and access controls to ensure least privilege principles are followed. 8. Use network segmentation to isolate copyparty servers from critical infrastructure to limit lateral movement if compromise occurs.