What is the CVSS score of CVE-2026-32109?

CVE-2026-32109 has a CVSS 3.1 base score of 3.7 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Copyparty are affected by CVE-2026-32109?

CVE-2026-32109 is a low-severity vulnerability in Copyparty involving cross-site scripting (CVSS 3.7).. A patch is available.

How to fix or mitigate CVE-2026-32109?

During next maintenance window: Apply vendor patches when convenient. Verify cross-site scripting controls are in place.

Copyparty CVE-2026-32109

LOW

Cross-site Scripting (XSS) (CWE-79)

2026-03-11 security-advisories@github.com

GHSA-rcp6-88mm-9vgf

XSS Copyparty

3.7

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

3.7 LOW

AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:07 vuln.today

CVE Published

Mar 11, 2026 - 21:16 nvd

LOW 3.7

DescriptionGitHub Advisory

Copyparty is a portable file server. Prior to 1.20.12, if an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename .prologue.html and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended behavior that the JavaScript would execute if the target clicks a link to the HTML file itself; "https://example.com/foo/.prologue.html". The vulnerability is that "https://example.com/foo/?b" would also evaluate the file, making the behavior unexpected. There are existing preventative measures (strict SameSite cookies) which makes it harder to leverage this vulnerability in an attack; in order to gain control of the target's authenticated session, the link must be clicked from a page served by the server itself -- most likely by editing an existing resource, which would require additional access permissions. Finally, for this attack to be successful, the attacker's target must click the specific crafted link given by the attacker. This vulnerability is not activated by normally browsing the web-UI on the server. This vulnerability is fixed in 1.20.12.

AnalysisAI

If an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename .prologue.html and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended behavior that the JavaScript would execute if the target clicks a link to the HTML file itself; "https://example.com/foo/.prologue.html". …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	Attackers can steal session cookies, redirect users to malicious sites, deface content, or perform actions on behalf of authenticated users. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker injects a JavaScript payload into a vulnerable input field. When another user views the page, the script executes in their browser, stealing their session token.
Remediation	Encode all user-supplied output contextually (HTML, JS, URL). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

During next maintenance window: Apply vendor patches when convenient. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-32109 vulnerability details – vuln.today

Back