CVE-2025-27145

LOW
2025-02-25 [email protected]
3.6
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 28, 2026 - 18:28 vuln.today
Patch Released
Mar 28, 2026 - 18:28 nvd
Patch available
PoC Detected
Sep 19, 2025 - 19:06 vuln.today
Public exploit code
CVE Published
Feb 25, 2025 - 02:15 nvd
LOW 3.6

Tags

XSS Copyparty

Description

copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the same privileges as that user. For example, this could give unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to actually initiate the upload. The file must be empty (zero bytes). Note that, as a general-purpose webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in `<script>` tags, which will execute when the file is opened. The difference is that this vulnerability would trigger execution of javascript during the act of uploading, and not when the uploaded file was opened. Version 1.16.15 contains a fix.

Analysis

copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. Rated low severity (CVSS 3.6), this vulnerability is no authentication required. Public exploit code available.

Technical Context

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the same privileges as that user. For example, this could give unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to actually initiate the upload. The file must be empty (zero bytes). Note that, as a general-purpose webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in `<script>` tags, which will execute when the file is opened. The difference is that this vulnerability would trigger execution of javascript during the act of uploading, and not when the uploaded file was opened. Version 1.16.15 contains a fix. Affected products include: 9001 Copyparty. Version information: prior to 1.16.15..

Affected Products

9001 Copyparty.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +18
POC: +20

Share

CVE-2025-27145 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy