{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-11T09:30:16.173","vulnerabilities":[{"cve":{"id":"CVE-2026-30974","sourceIdentifier":"security-advisories@github.com","published":"2026-03-10T18:18:56.220","lastModified":"2026-03-13T20:14:44.720","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11."},{"lang":"es","value":"Copyparty es un servidor de archivos portátil. Antes de la v1.20.11., la opción de configuración nohtml, destinada a evitar la ejecución de JavaScript en archivos HTML subidos por el usuario, no se aplicaba a las imágenes SVG. Un usuario con permiso de escritura podía subir un SVG que contenía JavaScript incrustado, el cual se ejecutaría en el contexto de cualquier usuario que lo abriera. Esto ha sido corregido en la v1.20.11."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N","baseScore":4.6,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:9001:copyparty:*:*:*:*:*:*:*:*","versionEndExcluding":"1.20.11","matchCriteriaId":"430C3EDB-42FA-41FD-B9FE-739C47155409"}]}]}],"references":[{"url":"https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/9001/copyparty/releases/tag/v1.20.11","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}