9 matches found
CVE-2026-28683
CVE-2026-28683 (Gokapi) : A stored XSS exists in Gokapi prior to v2.2.3 where a malicious authenticated user can upload an SVG and hotlink it, enabling stored XSS. The issue is resolved in v2.2.3. CVSS: 3.1, Privileges Required: Low, User Interaction: Required, Impact on Confidentiality/Integrity...
CVE-2026-28683 Gokapi: Stored XSS in SVG Hotlinks
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3...
CVE-2026-28683 Gokapi: Stored XSS in SVG Hotlinks
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3...
CVE-2026-28683 Gokapi: Stored XSS in SVG Hotlinks
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3...
GHSA-3C22-5J5M-4JQ7 Gokapi has Stored XSS in SVG Hotlinks
Summary If a malicious authenticated user uploads SVG and creates a hotlink for it, they achieve stored XSS. Details The hotlinking functionality fails to properly handle scripts included in the SVGs, allowing authenticated attackers with the ability to upload and hotlink file to execute arbitrar...
Gokapi has Stored XSS in SVG Hotlinks
Summary If a malicious authenticated user uploads SVG and creates a hotlink for it, they achieve stored XSS. Details The hotlinking functionality fails to properly handle scripts included in the SVGs, allowing authenticated attackers with the ability to upload and hotlink file to execute arbitrar...
CVE-2018-20907
cPanel before 71.9980.37 does not enforce the Mime::listhotlinks API feature restriction SEC-432...
Persistent CSRF and The Hotlink Hell
http://www.gnucitizen.org/blog/persistent-csrf-and-the-hotlink-hell/ http://michaeldaw.org/papers/hotlinkpersistentcsrf/ I would like to bring your attention to a topic that has been rarely discussed. I am going to talk about hotlinks, redirections and of course CSRF Cross-site Request Forgery...
[Full-disclosure] Persistent CSRF and The Hotlink Hell
http://www.gnucitizen.org/blog/persistent-csrf-and-the-hotlink-hell/ http://michaeldaw.org/papers/hotlinkpersistentcsrf/ I would like to bring your attention to a topic that has been rarely discussed. I am going to talk about hotlinks, redirections and of course CSRF Cross-site Request Forgery...