SCA: security update for copyparty (GHSA-rcp6-88mm-9vgf)

medium Tenable Self-Hosted Container Security Plugin ID 438704

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Copyparty is a portable file server. Prior to 1.20.12, if an attacker has been given both read- and write-
permissions to the server, they can upload a malicious file with the filename .prologue.html and then
craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended
behavior that the JavaScript would execute if the target clicks a link to the HTML file itself;
"https://example.com/foo/.prologue.html". The vulnerability is that "https://example.com/foo/?b" would
also evaluate the file, making the behavior unexpected. There are existing preventative measures (strict
SameSite cookies) which makes it harder to leverage this vulnerability in an attack; in order to gain
control of the target's authenticated session, the link must be clicked from a page served by the server
itself -- most likely by editing an existing resource, which would require additional access permissions.
Finally, for this attack to be successful, the attacker's target must click the specific crafted link
given by the attacker. This vulnerability is not activated by normally browsing the web-UI on the server.
This vulnerability is fixed in 1.20.12. (CVE-2026-32109)

Solution

Update the copyparty library and its related packages to version 1.20.12 or later.

See Also

https://github.com/advisories/GHSA-rcp6-88mm-9vgf

Plugin Details

Severity: Medium

ID: 438704

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 3/12/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.42

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 3.6

Temporal Score: 2.7

Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2026-32109

CVSS v3

Risk Factor: Medium

Base Score: 4.4

Temporal Score: 3.9

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/12/2026

Vulnerability Publication Date: 3/11/2026

Reference Information

CVE: CVE-2026-32109

cwe: CWE-79