Gokapi Security Vulnerabilities and Issues — Gokapi CVE List

ForceuGokapi

10 matches found

CVE•added 2025/06/02 11:8 a.m.•68 views

CVE-2025-48495

Gokapi (self-hosted file sharing server) has a stored XSS in the API key friendly name. By renaming an API key, an authenticated user could inject JS that executes when another user opens the API tab. Before 2.0.0 there was no user-permission system, so authenticated users could see/modify all re...

5.4CVSS6.2AI score0.00117EPSS

CVE•added 2025/06/02 11:3 a.m.•56 views

CVE-2025-48494

CVE-2025-48494 concerns Gokapi, a self-hosted file sharing server. The issue is a stored XSS vulnerability when using end-to-end encryption: uploading a file with a JavaScript payload in the filename, which is parsed when the upload list is opened. Before version 2.0.0, there was no user-permissi...

5.4CVSS5.7AI score0.0014EPSS

CVE•added 2026/03/06 4:45 a.m.•20 views

CVE-2026-29061

Gokapi CVE-2026-29061 summary (based on connected docs): Gokapi is a self-hosted file sharing server. Before version 2.2.3, a privilege-escalation flaw in the user rank demotion logic allows a demoted user’s existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, ...

5.4CVSS5.8AI score0.00116EPSS

CVE•added 2026/03/06 4:44 a.m.•18 views

CVE-2026-29060

Gokapi CVE-2026-29060 affects pre-2.2.3 builds of Gokapi (self-hosted file sharing with encryption). Registered users without rights to create/modify file requests could generate a short‑lived API key and perform those actions, an issue patched in 2.2.3 per CVE description. SUSE and PTSecurity en...

5CVSS5.8AI score0.00137EPSS

CVE•added 2026/03/06 4:44 a.m.•17 views

CVE-2026-28683

CVE-2026-28683 (Gokapi) : A stored XSS exists in Gokapi prior to v2.2.3 where a malicious authenticated user can upload an SVG and hotlink it, enabling stored XSS. The issue is resolved in v2.2.3. CVSS: 3.1, Privileges Required: Low, User Interaction: Required, Impact on Confidentiality/Integrity...

8.7CVSS5.8AI score0.00189EPSS

CVE•added 2026/03/06 4:43 a.m.•14 views

CVE-2026-28682

Gokapi CVE-2026-28682 affects the self-hosted file sharing server Gokapi prior to 2.2.3. The vulnerability lies in the upload status SSE implementation for /uploadStatus, which previously published the global upload state to any authenticated listener and included file_id values not scoped to the...

6.4CVSS5.9AI score0.00133EPSS

CVE•added 2026/03/06 4:45 a.m.•14 views

CVE-2026-29084

CVE-2026-29084 affects Gokapi (self-hosted file sharing server). Before version 2.2.3 its login flow lacks CSRF protection tied to the browser session context; the handler parses form values and creates a session after credential validation, enabling potential unauthorized session creation. The i...

4.6CVSS5.8AI score0.00076EPSS

CVE•added 2026/03/13 7:7 p.m.•13 views

CVE-2026-30955

Gokapi (self-hosted file sharing server) is affected by CVE-2026-30955 due to an API endpoint that accepts unbounded request bodies, allowing an authenticated user to cause an out-of-memory (OOM) kill and complete service disruption for all users. The issue is fixed in version 2.2.4 . Impact: ava...

6.5CVSS5.8AI score0.00248EPSS

CVE•added 2026/03/13 7:7 p.m.•8 views

CVE-2026-30943

Gokapi prior to version 2.2.4 contains an insufficient authorization check in the file replace API. A user with only list visibility permission (UserPermListOtherUploads) could delete another user’s file by abusing the deleteNewFile flag, effectively escalating privileges. The issue is fixed in 2...

4.1CVSS5.8AI score0.00179EPSS

CVE•added 2026/03/13 7:9 p.m.•7 views

CVE-2026-30961

Gokapi

4.3CVSS5.7AI score0.00253EPSS