ByteOS Network

CVE Vulnerability Details :

CVE-2025-54589

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-31 Jul, 2025 | 13:48

Updated At-31 Jul, 2025 | 14:12

▼CVE Numbering Authority (CNA)

copyparty Reflected XSS via Filter Parameter

Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at `/?ru`, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a `<script>` block without proper escaping, allowing for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users. This is fixed in version 1.18.7.

Affected Products

Vendor

9001

Product

copyparty

Versions

Affected

< 1.18.7

Problem Types

Type	CWE ID	Description
CWE	CWE-79	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE	CWE-80	CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Metrics

Version	Base score	Base severity	Vector
3.1	6.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

References

Hyperlink	Resource
https://github.com/9001/copyparty/security/advisories/GHSA-8mx2-rjh8-q3jq	x_refsource_CONFIRM
https://github.com/9001/copyparty/commit/a8705e611d05eeb22be5d3d7d9ab5c020fe54c62	x_refsource_MISC
https://github.com/9001/copyparty/releases/tag/v1.18.7	x_refsource_MISC

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References