cvedb.io
CVE-2025-54589
MEDIUM · CVSS 6.3
EPSS exploitation probability: 0%
Published 2025-07-31T14:15:34.927 · Last modified 2026-06-17T09:40:21.250

Summary

Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at `/?ru`, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a `<script>` block without proper escaping, allowing for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users. This is fixed in version 1.18.7.

Affected products

9001 — copyparty

Does this affect you?

Add your gear to cvedb and we'll alert you only when 9001 ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.