CVE-2026-28682 Gokapi — Exploit & Vulnerability Details MEDIUM

CVE-2026-28682

MEDIUM CVSS 3.1: 6.4 EPSS 0.01%

Parameter	Value
CVSS	6.4 (MEDIUM)
Fixed In	2.2.3
Type	CWE-200 (Information Exposure), CWE-284 (Improper Access Control)
Vendor	Gokapi
Public PoC	No

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

Low

Partial data leak

Integrity

Low

Partial data modification

Availability

None

No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-200 Information Exposure

CWE-284 Improper Access Control

References 2

https://github.com/Forceu/Gokapi/releases/tag/v2.2.3

security-advisories@github.com

https://github.com/Forceu/Gokapi/security/advisories/GHSA-c36c-7pc2-f2ph

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-30961

Forceu

4.3

CVE-2026-30955

Forceu

6.5

CVE-2026-30943

Forceu

4.1

CVE-2026-29084

Gokapi

4.6

CVE-2026-29061

Gokapi

5.4

Menu

CVE-2026-28682

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-30961

CVE-2026-30955

CVE-2026-30943

CVE-2026-29084

CVE-2026-29061

CVE Details

Editor's Choice

Menu

CVE-2026-28682

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-30961

CVE-2026-30955

CVE-2026-30943

CVE-2026-29084

CVE-2026-29061

CVE Details

Editor's Choice

Stay informed on cybersecurity