Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3.
References
| Link | Resource |
|---|---|
| https://github.com/Forceu/Gokapi/releases/tag/v2.2.3 | Release Notes |
| https://github.com/Forceu/Gokapi/security/advisories/GHSA-3c22-5j5m-4jq7 | Vendor Advisory |
Configurations
History
09 Mar 2026, 18:52
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Forceu
Forceu gokapi |
|
| References | () https://github.com/Forceu/Gokapi/releases/tag/v2.2.3 - Release Notes | |
| References | () https://github.com/Forceu/Gokapi/security/advisories/GHSA-3c22-5j5m-4jq7 - Vendor Advisory | |
| CPE | cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:* |
09 Mar 2026, 13:36
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
06 Mar 2026, 05:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-06 05:16
Updated : 2026-03-09 18:52
NVD link : CVE-2026-28683
Mitre link : CVE-2026-28683
CVE.ORG link : CVE-2026-28683
JSON object : View
Products Affected
forceu
- gokapi
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')