PYSEC-2026-31
Vulnerability from pysec - Published: 2026-03-11 21:16 - Updated: 2026-05-20 09:18
VLAI
Details
Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is used for the specific purpose of creating a share of just a single file inside a folder or either the FTP or SFTP server is enabled, and also made publicly accessible. Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This vulnerability is similar to CVE-2025-58753 which was previously fixed for HTTP and HTTPS, but not for FTP. The FTPS server did not yet exist at that time. This vulnerability is fixed in 1.20.12.
Severity
6.5 (Medium)
Impacted products
| Name | purl | copyparty | pkg:pypi/copyparty |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "copyparty",
"purl": "pkg:pypi/copyparty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.12"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.10.0",
"0.10.1",
"0.10.10",
"0.10.11",
"0.10.12",
"0.10.13",
"0.10.14",
"0.10.15",
"0.10.16",
"0.10.17",
"0.10.18",
"0.10.19",
"0.10.2",
"0.10.20",
"0.10.21",
"0.10.22",
"0.10.3",
"0.10.4",
"0.10.5",
"0.10.6",
"0.10.7",
"0.10.8",
"0.10.9",
"0.11.0",
"0.11.1",
"0.11.10",
"0.11.11",
"0.11.12",
"0.11.13",
"0.11.14",
"0.11.15",
"0.11.16",
"0.11.17",
"0.11.18",
"0.11.19",
"0.11.20",
"0.11.21",
"0.11.22",
"0.11.23",
"0.11.24",
"0.11.26",
"0.11.27",
"0.11.28",
"0.11.29",
"0.11.30",
"0.11.31",
"0.11.32",
"0.11.33",
"0.11.34",
"0.11.35",
"0.11.36",
"0.11.37",
"0.11.38",
"0.11.39",
"0.11.40",
"0.11.41",
"0.11.42",
"0.11.43",
"0.11.44",
"0.11.45",
"0.11.46",
"0.11.47",
"0.11.5",
"0.11.6",
"0.11.7",
"0.11.8",
"0.11.9",
"0.12.1",
"0.12.10",
"0.12.11",
"0.12.12",
"0.12.3",
"0.12.4",
"0.12.5",
"0.12.6",
"0.12.7",
"0.12.8",
"0.12.9",
"0.13.0",
"0.13.1",
"0.13.10",
"0.13.11",
"0.13.12",
"0.13.13",
"0.13.14",
"0.13.2",
"0.13.3",
"0.13.5",
"0.13.6",
"0.13.7",
"0.13.9",
"0.2.3",
"0.3.0",
"0.3.1",
"0.4.0",
"0.4.1",
"0.4.2",
"0.4.3",
"0.5.0",
"0.5.1",
"0.5.2",
"0.5.3",
"0.5.4",
"0.5.5",
"0.5.6",
"0.5.7",
"0.6.0",
"0.6.2",
"0.6.3",
"0.7.0",
"0.7.1",
"0.7.2",
"0.7.3",
"0.7.4",
"0.7.5",
"0.7.6",
"0.7.7",
"0.8.1",
"0.8.3",
"0.9.0",
"0.9.1",
"0.9.10",
"0.9.11",
"0.9.13",
"0.9.3",
"0.9.4",
"0.9.5",
"0.9.6",
"0.9.7",
"0.9.8",
"0.9.9",
"1.0.0",
"1.0.1",
"1.0.10",
"1.0.11",
"1.0.12",
"1.0.13",
"1.0.14",
"1.0.2",
"1.0.3",
"1.0.4",
"1.0.5",
"1.0.7",
"1.0.8",
"1.0.9",
"1.1.0",
"1.1.1",
"1.1.10",
"1.1.11",
"1.1.12",
"1.1.2",
"1.1.3",
"1.1.4",
"1.1.5",
"1.1.6",
"1.1.7",
"1.1.8",
"1.1.9",
"1.10.0",
"1.10.1",
"1.10.2",
"1.11.0",
"1.11.1",
"1.11.2",
"1.12.0",
"1.12.1",
"1.12.2",
"1.13.0",
"1.13.1",
"1.13.2",
"1.13.3",
"1.13.4",
"1.13.5",
"1.13.6",
"1.13.7",
"1.13.8",
"1.14.0",
"1.14.1",
"1.14.2",
"1.14.3",
"1.14.4",
"1.15.0",
"1.15.1",
"1.15.10",
"1.15.2",
"1.15.3",
"1.15.4",
"1.15.5",
"1.15.6",
"1.15.7",
"1.15.8",
"1.15.9",
"1.16.0",
"1.16.1",
"1.16.10",
"1.16.11",
"1.16.12",
"1.16.13",
"1.16.14",
"1.16.15",
"1.16.16",
"1.16.17",
"1.16.18",
"1.16.19",
"1.16.2",
"1.16.20",
"1.16.21",
"1.16.3",
"1.16.4",
"1.16.5",
"1.16.6",
"1.16.7",
"1.16.8",
"1.16.9",
"1.17.0",
"1.17.1",
"1.17.2",
"1.18.0",
"1.18.1",
"1.18.10",
"1.18.2",
"1.18.3",
"1.18.4",
"1.18.5",
"1.18.6",
"1.18.7",
"1.18.8",
"1.18.9",
"1.19.0",
"1.19.1",
"1.19.10",
"1.19.11",
"1.19.12",
"1.19.13",
"1.19.14",
"1.19.15",
"1.19.16",
"1.19.17",
"1.19.18",
"1.19.19",
"1.19.2",
"1.19.20",
"1.19.21",
"1.19.22",
"1.19.23",
"1.19.3",
"1.19.4",
"1.19.5",
"1.19.6",
"1.19.7",
"1.19.8",
"1.19.9",
"1.2.0",
"1.2.1",
"1.2.10",
"1.2.11",
"1.2.2",
"1.2.3",
"1.2.4",
"1.2.5",
"1.2.6",
"1.2.7",
"1.2.8",
"1.2.9",
"1.20.0",
"1.20.1",
"1.20.10",
"1.20.11",
"1.20.2",
"1.20.3",
"1.20.4",
"1.20.5",
"1.20.6",
"1.20.7",
"1.20.8",
"1.20.9",
"1.3.0",
"1.3.1",
"1.3.10",
"1.3.11",
"1.3.12",
"1.3.13",
"1.3.14",
"1.3.15",
"1.3.16",
"1.3.2",
"1.3.3",
"1.3.4",
"1.3.5",
"1.3.6",
"1.3.7",
"1.3.8",
"1.3.9",
"1.4.0",
"1.4.1",
"1.4.2",
"1.4.3",
"1.4.4",
"1.4.5",
"1.4.6",
"1.5.0",
"1.5.1",
"1.5.2",
"1.5.3",
"1.5.4",
"1.5.5",
"1.5.6",
"1.6.0",
"1.6.1",
"1.6.10",
"1.6.11",
"1.6.12",
"1.6.13",
"1.6.14",
"1.6.15",
"1.6.2",
"1.6.3",
"1.6.4",
"1.6.5",
"1.6.6",
"1.6.7",
"1.6.8",
"1.6.9",
"1.7.0",
"1.7.1",
"1.7.2",
"1.7.3",
"1.7.4",
"1.7.5",
"1.7.6",
"1.8.0",
"1.8.1",
"1.8.2",
"1.8.3",
"1.8.4",
"1.8.6",
"1.8.7",
"1.8.8",
"1.9.0",
"1.9.1",
"1.9.10",
"1.9.11",
"1.9.12",
"1.9.13",
"1.9.14",
"1.9.15",
"1.9.16",
"1.9.17",
"1.9.18",
"1.9.19",
"1.9.2",
"1.9.20",
"1.9.21",
"1.9.24",
"1.9.25",
"1.9.26",
"1.9.27",
"1.9.28",
"1.9.29",
"1.9.3",
"1.9.30",
"1.9.31",
"1.9.4",
"1.9.5",
"1.9.6",
"1.9.7",
"1.9.8",
"1.9.9"
]
}
],
"aliases": [
"CVE-2026-32108",
"GHSA-67rw-2x62-mqqm"
],
"details": "Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is used for the specific purpose of creating a share of just a single file inside a folder or either the FTP or SFTP server is enabled, and also made publicly accessible. Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This vulnerability is similar to CVE-2025-58753 which was previously fixed for HTTP and HTTPS, but not for FTP. The FTPS server did not yet exist at that time. This vulnerability is fixed in 1.20.12.",
"id": "PYSEC-2026-31",
"modified": "2026-05-20T09:18:55.420886Z",
"published": "2026-03-11T21:16:16.760Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/9001/copyparty/security/advisories/GHSA-67rw-2x62-mqqm"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…