How severe is CVE-2025-27145?

This vulnerability has a severity rating of LOW with a CVSS score of 3.6 out of 10.

What type of vulnerability is CVE-2025-27145?

This is classified as CWE-79, which is a common weakness in software security.

CVE-2025-27145 - LOW Severity | CVSS 3.6

Vulnerability Description

copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the same privileges as that user. For example, this could give unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to actually initiate the upload. The file must be empty (zero bytes). Note that, as a general-purpose webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in `<script>` tags, which will execute when the file is opened. The difference is that this vulnerability would trigger execution of javascript during the act of uploading, and not when the uploaded file was opened. Version 1.16.15 contains a fix.

Related Vulnerabilities

CVE-2025-27574

LOW

CVSS:3.6(Low)

Cross-site scripting vulnerability exists in the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, an arbitrary script may be executed ...

CWE-792025

CVE-2014-125110

LOW

CVSS:3.5(Low)

A vulnerability has been found in wp-file-upload Plugin up to 2.4.3 on WordPress and classified as problematic. Affected by this vulnerability is the function wfu_ajax_action_callback of the file lib/...

CWE-792014

CVE-2014-125111

LOW

CVSS:3.5(Low)

A vulnerability was found in namithjawahar Wp-Insert up to 2.0.8 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. Th...

CWE-792014

CVE-2015-10131

LOW

CVSS:3.5(Low)

A vulnerability was found in chrisy TFO Graphviz Plugin up to 1.9 on WordPress and classified as problematic. Affected by this issue is the function admin_page_load/admin_page of the file tfo-graphviz...

CWE-792015

CVE-2015-10132

LOW

CVSS:3.5(Low)

A vulnerability classified as problematic was found in Thimo Grauerholz WP-Spreadplugin up to 3.8.6.1 on WordPress. This vulnerability affects unknown code of the file spreadplugin.php. The manipulati...

CWE-792015

CVE-2017-20191

LOW

CVSS:3.5(Low)

A vulnerability was found in Zimbra zm-admin-ajax up to 8.8.1. It has been classified as problematic. This affects the function XFormItem.prototype.setError of the file WebRoot/js/ajax/dwt/xforms/XFor...

CWE-792017