• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

⚠️ ATTN: this release fixes an ftp/sftp issue with shares

• GHSA-67rw-2x62-mqqm: when a share is created for just one or more files inside a folder, it was possible to use FTP or SFTP to access the other files inside that folder by guessing the filenames
  • so ignore this issue if you did not enable ftp or sftp in the server config
• it was not possible to descend into subdirectories in this manner; only the sibling files were accessible
• NOTE: this does NOT affect filekeys; this is specifically regarding the shr global-option
• password-protected shares were not affected through SFTP, only FTP

this release also fixes GHSA-rcp6-88mm-9vgf but that one is nothing to worry about

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

• features? in this econonmy?? ain't nobody got time for that

🩹 bugfixes

• 66f1ef6 GHSA-67rw-2x62-mqqm (shares)
• 9f9d30f GHSA-rcp6-88mm-9vgf (the other thing)

🌠 fun facts

• the first cve is still by far the worst, none of the others even close... so at least that's nice
  • if you saw the cve notification and got all worked up, here's some comfy music to relax and upgrade copyparty to

💾 what to download?

• except for u2c.exe, all of the options above are mostly equivalent
• the zip and tar.gz files below are just source code
• python packages are available at PyPI

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

⚠️ ATTN: this release fixes a vulnerability

GHSA-m6hv-x64c-27mm the nohtml volflag did not prevent javascript inside SVG images from executing -- a malicious user with write-access could upload an SVG file which would execute as javascript when someone opens it 1c9f894

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

• version-checker (thx @icxes!) c6965f0
  • default-disabled; you must choose a URL to grab security advisories from to enable it
  • periodically checks the security advisories and shows a warning in the controlpanel if you're running a vulnerable version
  • can optionally panic and shutdown the server if you prefer that
  • man, the timing on this though... absolute cinema

🩹 bugfixes

• fix nohtml not being aware that SVG images can execute javascript 1c9f894
  • a new volflag noscript was also added; nohtml will automatically enable noscript, but noscript can also be useful on its own; see readme
• various upload rules fixes:
  • #1335 rotf couldn't handle trailing slash (thx @NecRaul!) 8e20506
  • #1337 rotn didn't always count correctly (thx @NecRaul!) 23d4a62
  • rotn didn't apply to dupes 00e821d
• combining rp-loc and site was a bit jank (thx @new-sashok724!) 31b2384
• global-option idp-store: 2 would result in excessive config reloading 1272de9
• fix fd-leak when indexing certain compressed files, including epub books 8b5ac23
• forget-ip: fix sqlite cursor-locking 37123e3

🔧 other changes

• #1316 Chinese translation got a huge makeover (thx @satgo1546 and @lxdlam!) b015274
• #1324 better rclone advice on the connect-page 8941701
• static website resources, previously served from /.cpr/ have moved to /.cpr/w/ for easier configuration of allowlists in reverseproxies and authentication middlewares 753ff54

🌠 fun facts

• according to the SVG spec, images being able to execute javascript is a feature and intentional behavior... what a concept!

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-02-25)

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🩹 bugfixes

• #1311 fix login (broke in v1.20.9) ecdfd2d

🔧 other changes

• warn that config-reload doesn't do global-options a29037a

🌠 fun facts

• rushing out a cve-fix in the wee hours of the morning before the 9-5 is a great idea that never goes wrong
  • 10/10 will probably do again

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-02-25)

⚠️ ATTN: this release fixes an XSS vulnerability

GHSA-62cr-6wp5-q43h could let an attacker execute arbitrary JS by tricking you into clicking a malicious link 31b2801

known issue: login broken, fix roughly 8pm UTC tonight

🔧 other changes

• webdav: dav-port can be used as an alternative to daw d21242f

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• #1298 add Hungarian translation (thx @sonacl!) eefb181 f37c3b9
• #1299 chown now accepts 4-digit values (thx @new-sashok724!) 5a7504f

🩹 bugfixes

• audioplayer skip-silence:
  • #1303 clamp ffwd to safe values (thx @icxes!) f5e70c7
  • fix crash on folderchange f1a433a

🔧 other changes

• due to legal reasons, the docker-images and bootable flashdrive are now unable to create thumbnails of HEVC/h265 videos and heif/heic images 1bec91d
  • this primarily means photos/videos taken with iphones (and maybe some samsung phones)
  • on the bright side, this has made the docker-images much smaller; ac is now half the size it used to be, and iv / dj are each 97 MiB smaller

🌠 fun facts

• if you wanna see your car doing its best impression of a frictionless spherical cow, I can warmly (heh) recommend the icy snowcoated countryroads of viken this weekend
  • goes oddly well with sakuraburst - deconstructing nature

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• now possible to upload/delete files while the filesystem-indexer is still busy d44ea24 0ca4c1b
  • global-option fika decides which actions to allow while still indexing; default is upload+copy+delete
  • full deduplication is only guaranteed if this option is set blank, as dupes are allowed while indexing
• #1266 browsers can request thumbnails as jxl images, and view jxl files in the gallery (thx @intelfx!) b2711e0 720c83b 93ffc65 a65a30b a7a25de 59de5e2 16403d8 48c1017 0e8913c
  • only works in browsers which support jxl, which is FINALLY happening (sure took a while)
  • some notes on memory/RAM usage though -- it is fine on Alpine Linux, so docker is also fine, just don't enable mimalloc
    • jxl can be disabled with global-option th-no-jxl if necessary on baremetal deployments until libvips fixes this
• #1265 audioplayer can "skip silence" now (thx @icxes!) 6694998
• #1287 opensearch support for opds (thx @philips!) 84e687a
• #1276 option rw-edit is the list of file-extensions that can be edited as textfiles with only permissions read+write (default is md like before); all other files still require read+write+delete 312f48e d692838
• #1288 option to customize the links copied when selecting files and pressing ctrl-c (thx @icxes!) e5d0a05
• docker: add env-var DI_PREPARTY to run an arbitrary script during startup, for customizations and such bf01ca4

🩹 bugfixes

• #1279 the textfile-viewer would refuse to load huge documents when hotlinked f02e9cf
• #1280 the custom rightclick-menu was enabled in the textfile viewer fc8a4b8
• #1262 logtail now works on windows; would previously take an exclusive-lock on the monitored file, as windows does by default a368fc6

🔧 other changes

• volumes are hidden from the treeview if the name starts with a dot 76041fd
• #1277 descript.ion files no longer require the e2d and e2t options to be enabled 4cb4e82
• chunked PUT-uploads are now terminated if they exceed a configured size limit dfadb5a
• #1282 improved compatibility with GraalPy (thx @vgskye!) e8609b8
• #1292 #1296 updated Esperanto translation (thx @slashdevslashurandom!) 418bf2f 914f84c
• thumbnails: use libvips as fallback for rawpy 27ae2e1
  • libvips doesn't support .arw files (sony) yet, so still need rawpy
• make server config slightly easier:
  • improve xff warnings 96aeb89
  • warn if config-values are quoted 598df44
  • lowercase headernames in configs fd09638

🌠 fun facts

• the fika option sends the filesystem-indexer on a coffee break
• exci wants me to mention aoi yuuki here for some reason :^) so here's gekisou gungnir

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• #1264 now possible to grant the get permission when creating a share 95b827f
  • the button was already there, but until now it did nothing

🩹 bugfixes

• a safeguard (24141b4) added in v1.20.5 was too strict and would block requests from certain reverseproxies, specifically anything that adds X-Forwarded-HTTP-Version 72224d2

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• #1240 webdav clients can now set fractional last-modified timestamps (thx @jcwillox!) 296362f
• #1260 add support for running the server with GraalPy (thx @vgskye!) 73d06ea
• #1182 pressing CTRL-C will copy links of selected files to clipboard 9c14972

🩹 bugfixes

• #1248 shares: fix the buttons for extending expiration time b6bf6d5
• #1242 webdav: fix «MacOS Finder» taking forever to connect (thx @freddyheppell!) 8e046fb
• ie11 would spinlock in write-only folders 5c4ba37

🔧 other changes

• fast again! ed6a8d5
  • replaced the connection:close band-aid added in v1.20.4 with a proper fix that doesn't make things slower behind reverseproxies
  • I've tried everything I can think of (with nginx as reverseproxy) and can't notice any difference in behavior, but please let me know if this breaks anything for you 🙏
• #1245 updated Portuguese translation (thx @000yesnt!) 69fa1d1
• #1259 OpenRC: add command to test config (thx @lotsospaghetti!) 79273a7
• #1257 removed the nth global-option because it was never implemented (thx @stackxp!) 22cdc0f
• syntax highlighter: added languages nasm + nix, removed autohotkey + cmake b20d325

🌠 fun facts

• http/1.1 still tends to be faster than http/2 and http/3 for large transfers which is the main reason copyparty hasn't made the change
  • eh, not really a fun fact I suppose ┐( ´ w `)┌

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🩹 bugfixes

• #1235 rightclick-menu: fix creating new files/folders in gridview (thx @SpaceXCheeseWheel!) ffca67f
• #1231 fix http desync if the urlform global-option was changed to get
  • this initial fix only applies when reverse-proxied, in which case copyparty will now always connection:close (don't reuse tcp/uds connections), as giving each client a fresh socket helps avoid all such issues e1eff21 b4fddbc
  • the expected performance impact from this change is near-zero for real use, even if benchmarks show a 40% reduction in requests/sec in the absolute-worst-case (burst of cheap requests)
  • a future version will also fix this issue for non-proxied clients

🔧 other changes

• #1229 updated the Esperanto translation (thx @slashdevslashurandom!) 1142ac2
• #1232 shares: if an external domain is configured, then show both the LAN and external link for each share 81e5eb7

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• send-message-to-serverlog now also available as url-parameter ?smsg=foo 6dcb1ef
  • option smsg configures which HTTP-methods to allow; can be set to GET,POST but default is only POST because GET is dangerous (CSRF)

🩹 bugfixes

• #1227 dillo was not able to login because dillo is more standards-compliant than every other browser (nice) b4df8fa
• a web-scraper which got banned for making malicious requests could remain banned for one request longer than intended (wait why did I fix this) ba67b27
• ?ls was still a bit jank 0a3a807

🌠 fun facts

• this 6AM release was powered by void/mournfinale
• was going to name the release "dilla på dillo" but somehow google-translate thinks that means "fuck on fuck" which would have been inappropriate

⚠️ not the latest version!