CVE-2026-29061 Gokapi: Privilege escalation via incomplete API-key permission revocation on user rank demotion

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permission...

CVE-2026-29061 Gokapi: Privilege escalation via incomplete API-key permission revocation on user rank demotion

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permission...

CVE-2026-29061 Gokapi: Privilege escalation via incomplete API-key permission revocation on user rank demotion

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permission...

CVE-2026-29061

Gokapi CVE-2026-29061 summary (based on connected docs): Gokapi is a self-hosted file sharing server. Before version 2.2.3, a privilege-escalation flaw in the user rank demotion logic allows a demoted user’s existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, ...

CVE-2026-29060 Gokapi: Privilege escalation with auth token

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with...

CVE-2026-29060

Gokapi CVE-2026-29060 affects pre-2.2.3 builds of Gokapi (self-hosted file sharing with encryption). Registered users without rights to create/modify file requests could generate a short‑lived API key and perform those actions, an issue patched in 2.2.3 per CVE description. SUSE and PTSecurity en...

CVE-2026-29060 Gokapi: Privilege escalation with auth token

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with...

CVE-2026-29060 Gokapi: Privilege escalation with auth token

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with...

CVE-2026-28683 Gokapi: Stored XSS in SVG Hotlinks

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3...

CVE-2026-28683 Gokapi: Stored XSS in SVG Hotlinks

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3...

CVE-2026-28683

CVE-2026-28683 (Gokapi) : A stored XSS exists in Gokapi prior to v2.2.3 where a malicious authenticated user can upload an SVG and hotlink it, enabling stored XSS. The issue is resolved in v2.2.3. CVSS: 3.1, Privileges Required: Low, User Interaction: Required, Impact on Confidentiality/Integrity...

CVE-2026-28683 Gokapi: Stored XSS in SVG Hotlinks

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3...

CVE-2026-28682 Gokapi: Data Leak in Upload Status Stream

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes fileid values that are not scoped to the requesting...

CVE-2026-28682 Gokapi: Data Leak in Upload Status Stream

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes fileid values that are not scoped to the requesting...

CVE-2026-28682

Gokapi CVE-2026-28682 affects the self-hosted file sharing server Gokapi prior to 2.2.3. The vulnerability lies in the upload status SSE implementation for /uploadStatus, which previously published the global upload state to any authenticated listener and included file_id values not scoped to the...

CVE-2026-28682 Gokapi: Data Leak in Upload Status Stream

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes fileid values that are not scoped to the requesting...

Gokapi 访问控制错误漏洞

Gokapi is a lightweight, self-hosted alternative to Firefox sending by Marc Bulling. Versions of Gokapi prior to 2.2.3 contained an access control vulnerability, which was caused by a flaw in the user downgrade logic, potentially leading to privilege escalation...

Gokapi 访问控制错误漏洞

Gokapi is a lightweight, self-hosted alternative to Firefox sending by Marc Bulling. Versions of Gokapi prior to 2.2.3 contained an access control vulnerability. This vulnerability stemmed from the ability of users without the permission to create or modify files to create temporary API keys with...

Gokapi 跨站请求伪造漏洞

Gokapi is a lightweight, self-hosted alternative to Firefox sending by Marc Bulling. Versions of Gokapi prior to 2.2.3 had a cross-site request forgeing vulnerability. This vulnerability stemmed from the lack of cross-site request forgeing protection in the login process, which could lead to...

Gokapi 跨站脚本漏洞

Gokapi is a lightweight, self-hosted alternative to Firefox sending messages developed by Marc Bulling. Versions of Gokapi prior to 2.2.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from malicious authenticated users uploading SVG files and creating hot links, which...