anonhaven
Ad

CVE-2026-28682

MEDIUM CVSS 3.1: 6.4 EPSS 0.01%
Updated Mar 06, 2026
Gokapi
Parameter Value
CVSS 6.4 (MEDIUM)
Fixed In 2.2.3
Type CWE-200 (Information Exposure (Раскрытие информации)), CWE-284 (Improper Access Control (Неправильный контроль доступа))
Vendor Gokapi
Public PoC No

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Privileges Required
Low
Нужны базовые права
User Interaction
None
Не нужно действие пользователя

Impact Assessment

Confidentiality
Low
Частичная утечка данных
Integrity
Low
Частичная модификация данных
Availability
None
Нет нарушения работы

CVSS Vector v3.1

Weakness Type (CWE)

CWE-200 Information Exposure (Раскрытие информации)
CWE-284 Improper Access Control (Неправильный контроль доступа)

References 2

https://github.com/Forceu/Gokapi/releases/tag/v2.2.3
security-advisories@github.com
https://github.com/Forceu/Gokapi/security/advisories/GHSA-c36c-7pc2-f2ph
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-29084

Gokapi

4.6

CVE-2026-29061

Gokapi

5.4

CVE-2026-29060

Gokapi

5.0

CVE-2026-28683

Gokapi

8.7