winget install --id 9001.copypartyAbout copyparty
Portable file server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++ all in one file, no deps
What's new in 1.20.14
- v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS) 🧪 new features - #1410 #376 #1224 new option --glang to autoselect UI-translation based on webbrowser's language (thx @stackxp!) ec3e0e7e - #1407 #1384 option to automatically switch between list-view and grid-view depending on folder contents (thx @icxes!) 822fa718 660ed7a9 961a2737 - #1447 audioplayer can now play bcstm / bfstm / brstm files (nintendo 3ds/wii bgm) 3a9ff67a - #1389 add 1000-based filesize-units in addition to 1024-based 43773f2c - reloc-by-wark, a pair of hooks to rename incoming uploads to a hash of the file contents 1e7de5d1 - option --rlo to change the logrotate-counter for -lo 8b986888 - add --certkey to specify certificate and key as separate files 8c7cdf85 - but the built-in HTTPS server should still not be trusted - config-files can now use OS environment-variables anywhere in the [global] config section cbd82b65 e52bbed8 - by default, only the syntax ${VAR} is supported, not $VAR or %VAR% - previously, a small handful of global-options already supported this (c lo hist dbpath ssl_log), but they also supported the $VAR syntax, which is no longer the case - if the old $VAR syntax is detected, copyparty will crash on startup, suggesting the following remedies (choose one!) in the log: 1. update the config-value to the new ${VAR} syntax (recommended) 2. allow the old syntax with global-option --env-expand 1 (risky) 3. ignore the old syntax and only expand the new syntax with global-option --env-expand 2 4. disable all environment-variable expansions with PRTY_NO_ENVEXPAND=1 🩹 bugfixes - #1437 webdav cli...
Version history
| Version | Updated | Notes |
|---|---|---|
| 1.20.14 | Unknown | - v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS) 🧪 new features - #1410 #376 #1224 new option --glang to autoselect UI-translation based on webbrowser's language (thx @stackxp!) ec3e0e7e - #1407 #1384 option to automati... |
| 1.20.13 | Unknown | - v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS) 🧪 new features - #1351 add .hidden support (thx @NecRaul!) beb634dc 134e378e - cosmetic filter to exclude specific files from directory listings by adding their filenames... |
| 1.20.12 | Unknown | - GHSA-67rw-2x62-mqqm: when a share is created for just one or more files inside a folder, it was possible to use FTP or SFTP to access the other files inside that folder by guessing the filenames - so ignore this issue... |
| 1.20.11 | Unknown | GHSA-m6hv-x64c-27mm the nohtml volflag did not prevent javascript inside SVG images from executing -- a malicious user with write-access could upload an SVG file which would execute as javascript when someone opens it 1c... |
| 1.20.10 | Unknown | - v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS) 🩹 bugfixes - #1311 fix login (broke in v1.20.9) ecdfd2d1 🔧 other changes - warn that config-reload doesn't do global-options a29037a0 🌠fun facts - rushing out a cve-fix... |
| 1.20.9 | Unknown | GHSA-62cr-6wp5-q43h could let an attacker execute arbitrary JS by tricking you into clicking a malicious link 31b2801f 🔧 other changes - webdav: dav-port can be used as an alternative to daw d21242fc |
| 1.20.8 | Unknown | - #1298 add Hungarian translation (thx @sonacl!) eefb181b f37c3b96 - #1299 chown now accepts 4-digit values (thx @new-sashok724!) 5a7504fd 🩹 bugfixes - audioplayer skip-silence: - #1303 clamp ffwd to safe values (thx @ic... |
| 1.20.7 | Unknown | - now possible to upload/delete files while the filesystem-indexer is still busy d44ea245 0ca4c1bd - global-option fika decides which actions to allow while still indexing; default is upload+copy+delete - full deduplicat... |
| 1.20.6 | Unknown | - #1264 now possible to grant the get permission when creating a share 95b827f1 - the button was already there, but until now it did nothing 🩹 bugfixes - a safeguard (24141b49) added in v1.20.5 was too strict and would b... |
| 1.20.5 | Unknown | - #1240 webdav clients can now set fractional last-modified timestamps (thx @jcwillox!) 296362fc - #1260 add support for running the server with GraalPy (thx @vgskye!) 73d06eaf - #1182 pressing CTRL-C will copy links of... |
| 1.20.4 | Unknown | - #1235 rightclick-menu: fix creating new files/folders in gridview (thx @SpaceXCheeseWheel!) ffca67f2 🔧 other changes - #1229 updated the Esperanto translation (thx @slashdevslashurandom!) 1142ac25 - #1232 shares: if an... |
| 1.20.3 | Unknown | - send-message-to-serverlog now also available as url-parameter ?smsg=foo - option smsg configures which HTTP-methods to allow; can be set to GET,POST but default is only POST because GET is dangerous (CSRF) 🩹 bugfixes -... |
| 1.20.1 | Unknown | - read-only demo server at https://a.ocv.me/pub/demo/ - docker image ╱ similar software ╱ client testbed there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most rece... |
| 1.19.17 | Unknown | Release notes |