anonhaven
Ad

CVE-2026-28683

HIGH CVSS 3.1: 8.7 EPSS 0.01%
Updated Mar 06, 2026
Gokapi
Parameter Value
CVSS 8.7 (HIGH)
Fixed In 2.2.3
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Gokapi
Public PoC No

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

References 2

https://github.com/Forceu/Gokapi/releases/tag/v2.2.3
security-advisories@github.com
https://github.com/Forceu/Gokapi/security/advisories/GHSA-3c22-5j5m-4jq7
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-30961

Forceu

4.3

CVE-2026-30955

Forceu

6.5

CVE-2026-30943

Forceu

4.1

CVE-2026-29084

Gokapi

4.6

CVE-2026-29061

Gokapi

5.4