• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-30)

⚠️ ATTN: this release fixes a Denial-of-Service vuln

CVE-2025-54796: an unauthenticated user could make the server grind to a halt by accessing a particular URL

recent important news

• v1.18.9 (2025-08-01) fixed CVE-2025-54796 (Denial-of-Service)
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
• v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

• #310 translated to Spanish (thx @herruzo99!) a1dfd0b
• #350 translated to Ukrainian (thx @MrMebelMan!) fea45e4
• #321 translated to Russian (thx @A1Asriel!) 0b05c72
• #381 translated to Finnish (thx @icxes and @Permik!) 7ecedb2
  • haha it says surf
• #312 add option to use localtime in the UI ad23b25
• #386 initial packaging for debian (thx @Beethoven-n!) 3c6f0b1

🩹 bugfixes

• CVE-2025-54796 / GHSA-5662-2rj7-f2v6 09910ba
• #347 fix upload-abort when uploading to a share 6d6d79f
• fix xiu backlog dropping on restart 3222ba3
• #375 fix crash on really old versions of python2.7 (thx @bb!) b69d590
• #388 another python2.7 fix: improve unicode support in u2c (thx @KevinXuxuxu!) 9c19753
• log creator of new/blank markdown docs d0d2f20
• #400 config didn't support indenting with tabs c160428

🔧 other changes

• ack was changed to continue 4fa7be2

🌠 fun facts

• the translations have made the sfx size balloon from 766 to 845 KiB in under a week... nice! keep em coming 🎉

💾 what to download?

• except for u2c.exe, all of the options above are mostly equivalent
• the zip and tar.gz files below are just source code
• python packages are available at PyPI

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-28)

recent important news

• v1.18.7 (2025-07-30) (PREVIOUS RELEASE) fixed XSS in the recent-uploads page
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
• v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🩹 bugfixes

• #354 fix copyparty-sfx.py failing to start on certain versions of python c17ce48

💾 what to download?

• except for u2c.exe, all of the options above are mostly equivalent
• the zip and tar.gz files below are just source code
• python packages are available at PyPI

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-30)

⚠️ ATTN: this release fixes an XSS vulnerability

GHSA-8mx2-rjh8-q3jq, could let an attacker execute arbitrary JS by tricking you into clicking a malicious URL

Soon there won't be many of these left, surely. Huge thanks to @Ju0x for finding and reporting this.

recent important news

• v1.18.7 (2025-07-30) fixed XSS in the recent-uploads page
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
• v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

• #265 uid/gid for new files can be configured per-volume f195998
  • has preconditions; see readme
• #212 add German translation (thx @rGunti, @Scotsguy, @chocolateimage) 9d32564

🩹 bugfixes

• GHSA-8mx2-rjh8-q3jq a8705e6
• #276 windows: fix segfault (thx @kernel1994 for debugging!) a9d07c6
• #272 webdav: send disk-size and disk-free to clients 4988a55
• #285 use disk-free sans root-reserve on linux (thx @Arklaum!) c3cc2dd
• cors-check was funky on IPv6 e9684d4
• #325 upgrade sharex example for newer versions 6016ec9
• #300 restore support for old versions of python 2.7 b7ca6f4

🔧 other changes

• shares: the config POST-target is now always the webroot (for ease of IdP configuration) fb7cbc4
• unlist: now applies to the navpane too fbf17be
• windows: show disk-usage as well, not just disk-free 5c6341e
• #228 nix-pkg improvements (thx @dtomvan!) 4915b14
• docker-compose: ensure logs appear in realtime 3cde1f3
• mention that IdP-volumes and users can now be persisted 6069bc9
• #316 explain a scary-looking thing in the code 053de61

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-28)

recent important news

• v1.18.5 (2025-07-28) (PREVIOUS RELEASE) fixed XSS in display of media tags
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
• v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

• #201 add support for reflink-based dedup on cow filesystems df9feab
  • combine --dedup with --reflink to enable, or volflags with same name
  • a better and safer alternative to the other dedup approaches (symlink/hardlink), but only possible to use in some cases:
    • needs linux 5.3 or newer, python 3.14 or newer, btrfs/xfs/zfs
    • not available in the docker images yet; needs a new version of python, so maybe next alpine release (november/december 2025)
• ratelimit password changes to impede bruteforcing a2601fd
  • limit is set by --ban-pwc (default is 5 changes in 60min)

🩹 bugfixes

• #240 nixos: fix unixgroups issue (thx @chinponya!) 7c9c962
• #246 cbz: use correct page for thumbnail (thx @Scotsguy!) 542a1de

🔧 other changes

• volflag nosub now also prevents mkdir 0f2c623
• improve documentation:
  • #229 use the same example UDS path everywhere cb019af
  • example nginx config had misleading cloudflare comment (thx @jmi2k!) 674fc1f
  • more readable --help-chmod 03d23da
  • #244 fix typo in --help 4f013f6
• #242 hide "use real pw" on connectpage if no accounts (thx @toast003!) 025942a
• #211 docker: remove deprecated attribute (thx @ptweezy!) 5b98e10
• #190 add the feature-showcase video to the readme (thx @RustoMCSpit!) 43e6da3

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-28)

⚠️ ATTN: this release fixes an XSS vulnerability

GHSA-9q4r-x2hj-jmvr, exploitable in two different ways, could let an attacker execute arbitrary javascript on other users:

• either: tricking someone into clicking a malicious URL to load and execute javascript
• or: uploading a malicious audio file to the server, affecting any successive visitors

so, with new and curious eyes on the project, we are starting off with a bang. Huge thanks to @altperfect for finding and reporting this earlier today.

recent important news

• v1.18.5 (2025-07-28) fixed XSS in display of media tags
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
• v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

• #214 option to stop playback after one song, and/or at end of folder 6bb27e6

🩹 bugfixes

• GHSA-9q4r-x2hj-jmvr 895880a
• block external m3u files 2228f81
• #202 the connect-page could show IP-address when it should have used hostnames/domains b0dec83
• scrolling locked after tailing a file and closing it creatively d197e75

🔧 other changes

• #189 the SameSite cookie parameter now defaults to Strict, increasing CSRF protection ca6d0b8
  • new option --cookie-lax reverts to previous value Lax
• docker: add FTPS support b419984

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-02-25)

recent important news

• v1.16.15 (2025-02-25) fixed low-severity xss when uploading maliciously-named files
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
• v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

• #182 Landmarks edba7ff
  • detects that a storage backend is glitching out and disengage the up2k-database as a precaution
• #183 quickdelete 21a96bc
  • new togglebutton qdel in the UI which reduces the number of deletion confirmations by one
  • global-option --qdel=0 which can bring it all the way to zero (good luck)

🩹 bugfixes

• fix unpost in recently created shares 2d322dd
• fix filekeys on windows df6d4df

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-02-25)

recent important news

• v1.16.15 (2025-02-25) fixed low-severity xss when uploading maliciously-named files
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
• v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

• #181 the default chmod (unix-permissions) of new files and folders can now be changed 9921c43
  • --chmod-d or volflag chmod_d sets directory permissions; default is 755
  • --chmod-f or volflag chmod_f sets file permissions; default is usually 644 (OS-defined)
  • see --help-chmod which explains the numbers

🩹 bugfixes

• #179 couldn't combine --shr (shares) and --xvol (symlink-guard) 0f0f8d9
• #180 gallery buttons could still be clicked when faded-out 8c32b0e
• rss-feeds were slightly busted when combined with rp-loc (location-based proxying) 56d3bcf
• music-playback within search-results no longer jumps into the next folder at end-of-list 9bc4c5d
• video-playback on iOS now behaves like on all other platforms 78605d9
  • (it would force-switch into fullscreen because that's their default)

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-02-25)

recent important news

• v1.16.15 (2025-02-25) fixed low-severity xss when uploading maliciously-named files
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
• v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

• IdP-volumes can optionally be persisted across restarts d162502
  • there is a UI to manage the cached users/groups 4f264a0
    • only available to users listed in the new option --idp-adm
• api for manually rescanning several volumes at once 42c199e
  • /some/path/?scan does that one volume like before
  • /any/path/?scan=/vol1,/another/vol2 rescans /vol1 and /another/vol2
• volflag to hide volume from listing in controlpanel fd7c71d

🩹 bugfixes

• macos: fix confusing crash when blocked by Little Snitch bf11b2a
• unpost could break in some hairy reverseproxy setups 1b2d398
• copyparty32.exe: fix segfault on win7 c9fafb2
• ui: fix navpane overlapping the scrollbar (still a bit jank but eh) 7ef6fd1
• usb-eject: support all volume names ed908b9
• docker: ensure clean slate deb6711
• fix up2k on ie11 d271443

🔧 other changes

• update buildscript for keyfinder to support llvm 65c4e03
• #175 add python-magic into the iv and dj docker flavors (thx @Morganamilo) 77274e9
• properly killed the experimental docker flavors to avoid confusion 8306e3d
• copyparty.exe: updated pillow 299cff3 f6be390
  • avif support was removed to save 2 MiB

🌠 fun facts

• this release was slightly delayed due to a norwegian traffic jam

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-02-25)

recent important news

• v1.16.15 (2025-02-25) fixed low-severity xss when uploading maliciously-named files
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
• v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

• textfile-viewer can now livestream logfiles (and other growing files) 17fa490 77df17d a1c7a09 6ecf4fd
  • see readme and the live demo
• IdP-volumes: extend syntax for excluding certain users/groups 2e53f79
  • the commit-message explains it well enough
• new option --see-dots to show dotfiles in the web-ui by default c599e2a
• #171 automatic mimetype detection for files without extensions (thx @Morganamilo!) ec05f8c 9dd5dec
  • default-disabled since it has a performance impact on webdav
    • there are plans to fix this by using the db instead
• #170 improve custom filetype icons
  • be less strict; if a thumbnail is set for .gz files, use it for .tar.gz too c75b0c2
  • improve config docs fa5845f

🩹 bugfixes

• cosmetic: get rid of some noise along the bottom of some cards in the gridview 8cae7a7
• cosmetic: satisfy a new syntax warning in cpython-3.14 5ac3864

🔧 other changes

• properly document how to build from source / build from scratch f61511d
• update deps
  • copyparty.exe: python 3.13 1eff87c
  • webdeps: dompurify 7eca90c

🌠 fun facts

• this release was cooked up in a swedish forest cabin

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-02-25)

recent important news

• v1.16.15 (2025-02-25) fixed low-severity xss when uploading maliciously-named files
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
• v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

• not this time

🩹 bugfixes

• up2k: improve file-hashing speed on recent versions of google chrome e3e51fb
  • speed increased from 319 to 513 MiB/s by default (but older chrome versions did 748...)
  • read the commit message for the full story, but basically chrome has gotten gradually slower over the past couple versions (starting from v133) and this makes it slightly less bad again
  • hashing speed can be further improved from 0.5 to 1.1 GiB/s by enabling the [wasm] option in the [⚙️] settings tab
    • this option can be made default-enabled with --nosubtle 137 but beware that this increases the chances of running into browser-bugs (foreshadowing...)
• up2k: fix errorhandler for browser-bugs (oom and such) 49c7124
  • because chrome-bug 383568268 is about to make a surprise return?!
• #168 fix uploading into shares if path-based proxying is used 9cb93ae
• #165 unconditionally heed --rp-loc 84f5f41
  • the config-option for path-based proxying was ignored if the reverse-proxy was untrusted; this was confusing and not strictly necessary

🔧 other changes

• #166 the nixos module was improved once more (thx @msfjarvis!) 48470f6 60fb120
• added usage instructions to minimal-up2k.js, the up2k-ui simplifier 1d308ee
• docker: improve feedback if config is bad or missing 28b63e5

🌠 fun facts

• this release was tested using an unreliable rdp connection through two ssh-jumphosts to a qemu win10 vm back home from the bergen-oslo night train wifi

⚠️ not the latest version!