- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)
⚠️ ATTN: this release fixes CVE-2025-58753, an issue with shares
- when a share is created for just one or more files inside a folder, it was possible to access the other files inside that folder by guessing the filenames
- it was not possible to descend into subdirectories in this manner; only the sibling files were accessible
- NOTE: this does NOT affect filekeys; this is specifically regarding the
shrglobal-option
recent important news
- v1.19.8 (2025-09-07) fixed CVE-2025-58753 (a missing permission-check inside single-file shares)
- v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
- v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details
🧪 new features
- #761 IdP: option to replace the login/logout links and buttons with redirects into an IdP UI 09f2299
- #726 disk-usage and server-version can be selectively hidden according to user permissions 19a4c45
- option
--shr-who/ volflagshr_whodecides who is able to create a share of that volume edafa15 - #751 nixos: add globalExtraConfig to specify repeatable config parameters (thx @xvrqt!) 09e3018
- some very small speedups (mainly u2c and ancient python versions) 74821a3
- #759 #393 total folder size now decreases when files inside are deleted 96b109b
- would previously require a reindex to get back on track
🩹 bugfixes
- fix GHSA-pxvw-4w88-6x95 by fencing fileshares to just the shared files e0a92ba
- #397 prevent hinting at valid passwords, even if they cannot be used to authenticate with 7a4ee4d
- #747 disable some features if
/tmpmust be used for runtime config e6755aa- the config-folder will now also be created with chmod 700 (accessible by owner only)
- #733 #298 fix hotkeys on non-qwerty keyboard layouts (dvorak etc.) e798a9a
- #539 ftp-server: support clients which never does a CWD b049631
- ignore the plaintext session-cookie on https; fixes some confusing behavior when switching from https to http c71128f
og-uawould prevent clients matching the pattern from accessing fullsize filesog-uawas only possible to set globally; theog_uavolflag was ignored 422f8f6- uds / unix-domain-sockets got wrong permissions when
rm-sckwas used e270fe6 - #727 macos: support running from config-files 230a146
- #539 avoid issues if someone uploads a file with a last-modified timestamp from year -9999999999999 eeb7738
- using the spacebar to pause a video was jank on chrome bfcb6ea
- block the next-song hotkey while a folder is loading f7e08ed
- #748 fix rare js-panic when an action is aborted aaeec11
- #738 bubbleparty: use /bin/bash (thx @ckastner!) 0469b5a
🔧 other changes
- partyfuse: nice speedup by caching
readdirtoo 06d2654 - partyfuse: explain usage with usernames 1cdb388
- connect-page: better examples when usernames enabled 3bdef75
- docker: fix image annotations ab56238
🌠 fun facts
💾 what to download?
| download link | is it good? | description |
|---|---|---|
| copyparty-sfx.py | ✅ the best 👍 | runs anywhere! only needs python |
| copyparty-en.py | ✅ also good | same but english-only, no i18n |
| a docker image | it's ok | good if you prefer docker 🐋 |
| copyparty.exe | ⚠️ acceptable | for win8 or later; built-in thumbnailer |
| u2c.exe | ⚠️ acceptable | CLI uploader as a win7+ exe (video) |
| copyparty.pyz | ⚠️ acceptable | similar to the regular sfx, mostly worse |
| copyparty32.exe | ⛔️ dangerous | for win7 -- never expose to the internet! |
| cpp-winpe64.exe | ⛔️ dangerous | runs on 64bit WinPE, otherwise useless |
| bootable usb | ┐(゚∀゚)┌ | a surprisingly useful joke (x86_64) |