Description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3.
Published: 2026-03-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Upgrade
AI Analysis

Impact

A malicious authenticated user can upload a specially crafted SVG file, create a hotlink for it, and cause arbitrary JavaScript to execute in the web browser of any user who views the hotlink. The stored XSS flaw is a classic example of CWE‑79, allowing attackers to hijack sessions, steal credentials or other sensitive data, and potentially deface the interface. The impact is confined to the victim’s browser session but can undermine trust and allow credential theft for accounts that have access to the system.

Affected Systems

The vulnerability exists in all versions of the Gokapi self‑hosted file sharing server prior to version 2.2.3 released by Forceu. Anyone running Gokapi 2.2.2 or earlier and allowing authenticated uploads of SVG files is susceptible.

Risk and Exploitability

With a CVSS score of 8.7 the flaw is considered high severity. The EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV catalog, indicating a low current exploitation probability and no documented focus by malicious actors. The attack requires an authenticated account, but once an SVG is maliciously crafted, any user viewing the hotlink will trigger the embedded script. The risk to an organization therefore depends on the number of users who may view hotlinked SVGs and the sensitivity of the data accessed through them.

Generated by OpenCVE AI on April 16, 2026 at 11:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gokapi to version 2.2.3 or later to remove the stored XSS flaw
  • If an upgrade is not immediately feasible, disable the ability for authenticated users to upload or create hotlinks for SVG files
  • Restrict SVG uploads to trusted administrators only and enforce strict content‑type validation to reject non‑SVG MIME types

Generated by OpenCVE AI on April 16, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3c22-5j5m-4jq7 Gokapi has Stored XSS in SVG Hotlinks
History

Mon, 09 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Forceu
Forceu gokapi
Vendors & Products Forceu
Forceu gokapi

Fri, 06 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3.
Title Gokapi: Stored XSS in SVG Hotlinks
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Forceu Gokapi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:06:43.449Z

Reserved: 2026-03-02T21:43:19.927Z

Link: CVE-2026-28683

cve-icon Vulnrichment

Updated: 2026-03-06T15:58:14.419Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:38.443

Modified: 2026-03-09T18:52:48.920

Link: CVE-2026-28683

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses