109 matches found
Gokapi 资源管理错误漏洞
Gokapi is a lightweight, self-hosted alternative to Firefox sending messages developed by Marc Bulling. Prior to version 2.2.4 of Gokapi, there was a resource management vulnerability. This vulnerability stemmed from the API endpoint accepting unlimited request bodies, which could potentially cau...
Gokapi 安全漏洞
Gokapi is a lightweight, self-hosted alternative to Firefox sending by Marc Bulling. Versions of Gokapi prior to 2.2.4 contained a security vulnerability, where the path for multipart uploads did not verify the total file size. This vulnerability could allow attackers to upload extremely large...
Gokapi 安全漏洞
Gokapi is a lightweight, self-hosted alternative to Firefox sending messages developed by Marc Bulling. Versions of Gokapi prior to 2.2.4 contained a security vulnerability, which stemmed from insufficient authorization checks in the file replacement API. This vulnerability could potentially lead...
PT-2026-25356
Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.4 Description Gokapi is a self-hosted file sharing server. An authorization flaw in the file replace API allows a user with list visibility permission UserPermListOtherUploads to delete another user's file by...
GO-2026-4612 Gokapi has Stored XSS in SVG Hotlinks in github.com/forceu/gokapi
Gokapi has Stored XSS in SVG Hotlinks in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest an...
GO-2026-4615 Gokapi has privilege escalation with auth token in github.com/forceu/gokapi
Gokapi has privilege escalation with auth token in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please...
GO-2026-4613 Gokapi has Data Leak in Upload Status Stream in github.com/forceu/gokapi
Gokapi has Data Leak in Upload Status Stream in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please...
GO-2026-4624 Gokapi has CSRF in Login Endpoint in github.com/forceu/gokapi
Gokapi has CSRF in Login Endpoint in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest an edi...
GO-2026-4626 Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion in github.com/forceu/gokapi
Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...
CVE-2026-29084
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a...
CVE-2026-28683
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3...
CVE-2026-28682
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes fileid values that are not scoped to the requesting...
CVE-2026-29084
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a...
CVE-2026-29060
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with...
CVE-2026-28683
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3...
CVE-2026-28682
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes fileid values that are not scoped to the requesting...
CVE-2026-29084 Gokapi: CSRF in Login Endpoint
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a...
CVE-2026-29084 Gokapi: CSRF in Login Endpoint
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a...
CVE-2026-29084 Gokapi: CSRF in Login Endpoint
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a...
CVE-2026-29084
CVE-2026-29084 affects Gokapi (self-hosted file sharing server). Before version 2.2.3 its login flow lacks CSRF protection tied to the browser session context; the handler parses form values and creates a session after credential validation, enabling potential unauthorized session creation. The i...