Gokapi
CVE-2026-28682
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3.
AnalysisAI
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 6.4 MEDIUM]
Technical ContextAI
Classified as CWE-200 (Information Exposure). Affects Gokapi. Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3.
RemediationAI
Fixed in version 2.2.3.. Restrict network access to the affected service where possible.
Stored XSS in Gokapi through malicious SVG file uploads enables authenticated attackers to execute arbitrary JavaScript
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encr
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly n
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 5.4 MEDIUM]
Privilege escalation in Gokapi prior to version 2.2.3 allows authenticated users to generate API keys with elevated perm
Gokapi versions prior to 2.2.3 lack CSRF protection on the login endpoint, allowing authenticated attackers to perform u
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
GHSA-c36c-7pc2-f2ph