GHSA-M6HV-X64C-27MM

Vulnerability from github – Published: 2026-03-10 01:20 – Updated: 2026-03-10 18:45
VLAI?
Summary
copyparty: volflag `nohtml` did not block javascript in svg files
Details

Summary

The nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images.

Details

A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it.

This in itself is not a vulnerability; it is intended behavior according to the SVG spec. The vulnerability is that the nohtml volflag, when enabled, did not prevent this.

nohtml, intended for use on volumes which contains untrusted files, would correctly prevent execution of javascript in HTML files, but did not consider SVG images. This has been fixed in v1.20.11.

Impact

The malicious JavaScript could move or delete existing files on the server, or upload new files, using the account of the person who opens the SVG.

Severity ?
4.6 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.20.10"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "copyparty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.20.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30974"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T01:20:19Z",
    "nvd_published_at": "2026-03-10T18:18:56Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe `nohtml` config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images.\n\n### Details\nA user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it.\n\nThis in itself is not a vulnerability; it is intended behavior according to [the SVG spec](https://www.w3.org/TR/SVG11/script.html). The vulnerability is that the `nohtml` volflag, when enabled, did not prevent this.\n\n`nohtml`, intended for use on volumes which contains untrusted files, would correctly prevent execution of javascript in HTML files, but did not consider SVG images. This has been fixed in v1.20.11.\n\n### Impact\nThe malicious JavaScript could move or delete existing files on the server, or upload new files, using the account of the person who opens the SVG.",
  "id": "GHSA-m6hv-x64c-27mm",
  "modified": "2026-03-10T18:45:39Z",
  "published": "2026-03-10T01:20:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30974"
    },
    {
      "type": "WEB",
      "url": "https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/9001/copyparty"
    },
    {
      "type": "WEB",
      "url": "https://github.com/9001/copyparty/releases/tag/v1.20.11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "copyparty: volflag `nohtml` did not block javascript in svg files"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.