Skip to main content

Gokapi CVE-2026-28683

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-06 security-advisories@github.com GHSA-3c22-5j5m-4jq7
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 06, 2026 - 05:16 nvd
HIGH 8.7

DescriptionGitHub Advisory

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3.

AnalysisAI

Stored XSS in Gokapi through malicious SVG file uploads enables authenticated attackers to execute arbitrary JavaScript in users' browsers via hotlinked files. An attacker with valid credentials can craft SVG payloads that persist in the application and compromise other users accessing the shared links. No patch is currently available for versions prior to 2.2.3.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Gokapi. Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3.

RemediationAI

Fixed in version 2.2.3.. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-28683 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy