copyparty

v1.20.16 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 8d File Storage & Sync

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

copyparty file-server file-sharing file-upload-server ftp-server nas-frontend

+2 more

tftp-server webdav-server

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 8d

The release patches CVE-2026-27948, an XSS vulnerability.

Why it matters: CVE severity is high (score 90); patch immediately to prevent web UI exploitation.

Summary

AI summary

Broad release touches 🔧 other changes, 🧪 new features, 🩹 bugfixes, and 🌠 fun facts.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes CVE-2026-27948 XSS vulnerability. Fixes CVE-2026-27948 XSS vulnerability. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature
Feature	Medium	Adds option to generate music spectrograms with logarithmic frequency scale. Adds option to generate music spectrograms with logarithmic frequency scale. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Allows users with read-access to create get-only shares. Allows users with read-access to create get-only shares. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Adds support for the s6 service notification protocol. Adds support for the s6 service notification protocol. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Enables renaming or removal of the toplevel folder in download-as-zip/tar via `&name=` URL parameter. Enables renaming or removal of the toplevel folder in download-as-zip/tar via `&name=` URL parameter. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Adds option to set custom name/path for ffmpeg/ffprobe binaries. Adds option to set custom name/path for ffmpeg/ffprobe binaries. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Adds audio playback support for MKA files. Adds audio playback support for MKA files. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix
Bugfix	Medium	Fixes get-only shares not expiring when the creator is removed. Fixes get-only shares not expiring when the creator is removed. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fixes toggling between cropped/full‑size cover art for music. Fixes toggling between cropped/full‑size cover art for music. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fixes file listing breakage caused by files from the year 30828. Fixes file listing breakage caused by files from the year 30828. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Low	Fixes JavaScript crash when dragging a picture out of the browser. Fixes JavaScript crash when dragging a picture out of the browser. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Resolves issue with "fancy markdown editor" not working on phones. Resolves issue with "fancy markdown editor" not working on phones. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—

Full changelog

read-only demo server at https://a.ocv.me/pub/demo/
docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

recent important news

v1.20.9 (2026-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

#1463 opds: improved compatibility with various clients (thx @kamaeff!) 9068ec6a
#1485 users with read-access can now create get-only shares (thx @Scotsguy!) 0bb80e92
#1466 support the s6 service notification protocol (thx @mobin-2008!) 8c201b84 ca406472
download-as-zip/tar: the toplevel folder can be renamed with url-param &name=foo or entirely removed with &name cc5420a3
#1487 option to generate music spectrograms with logarithmic frequency scale (thx @9hax!) 83dc20f3
option to set custom name/path for ffmpeg/ffprobe binaries 5e806ec1
#1489 audio playback of mka files

🩹 bugfixes

#1480 #1482 fix get-only shares not expiring if the creator is removed (thx @celinke97 and @Scotsguy!) 3b53a228
#1474 toggling between cropped/fullsize coverart for music didn't work 926c6e81
#1470 files from the year 30828 would break file listing 27031f73
#1494 fix js-crash when dragging a pic from the gallery out of the browser (thx @icxes!) 7d81b9e8
"fancy markdown editor" didn't work on phones 6183540c
improve signal handling f4f97b6c
- if I messed something up then --sig-thr or send 7x sigterm

🔧 other changes

docker: the arm32 build of the iv image has graduated 6e75faa6
- copyparty/iv is now only available for i386 / x86_64 / aarch64
docker: rawpy is no longer bundled; now using libraw directly 348b4bb5
- creating thumbnails of .raw photos is now MUCH slower but quality is also much better
partyfuse: switch to mfusepy; adds fuse3 support and improves performance b2401ff1
additional advisory tiers for use with the vulnerability-checker 4e9ad781
clarify behavior of xvol regarding permissions e3271830
packaging/docs:
- #1479 freebsd: fix deps in rc.d (thx @Kansattica!) f432ef6d
- #1458 macos docs (thx @ilotoki0804!) d7eb556c

🌠 fun facts

there will be a tiny handful of copyparty stickers at dokomi this weekend

💾 what to download?

except for u2c.exe, all of the options above are mostly equivalent
the zip and tar.gz files below are just source code
python packages are available at PyPI

Breaking Changes

Docker iv image arm32 build removed; now only i386, x86_64, and aarch64 are supported

Security Fixes

CVE-2026-27948

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track copyparty

Get notified when new releases ship.

About copyparty

Portable file server with accelerated resumable uploads, dedup, WebDAV, SFTP, FTP, TFTP, zeroconf, media indexer, thumbnails++ all in one file