N.B. Copyparty has had a couple of known security vulnerabilities, though they’ve been addressed in recent updates. Here’s a quick rundown:
Known Security Issues
- DOM-Based Cross-Site Scripting (XSS) – CVE-2025-27145
Affected versions: Prior to 1.16.15
Risk level: Low
Details:
Triggered when a user drags a maliciously named, empty file into the Web UI.
Could allow arbitrary JavaScript execution with the user’s privileges.
Notably, this happens during the upload action—not when the file is opened.
Fix: Patched in version 1.16.15
- Multimedia Metadata XSS – CVE-2025-54423
Affected versions: Prior to 1.18.5
Risk level: Moderate (CVSS score 5.4)
Details:
Improper sanitization of metadata in multimedia files (e.g., .m3u playlists).
Could allow unauthenticated attackers to execute JavaScript via malicious metadata or URLs.
Fix: Patched in version 1.18.5
Recommendations
Update immediately to version 1.18.5 or later to ensure you’re protected.
Avoid uploading or interacting with untrusted multimedia files, especially .m3u.
Be cautious with drag-and-drop actions in the Web UI involving unknown files.