Go modules package
github.com/forceu/gokapi
pkg:golang/github.com/forceu/gokapi
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-30961 | — | < 2.2.4 | 2.2.4 | Mar 13, 2026 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request l | ||
| CVE-2026-30955 | — | < 2.2.4 | 2.2.4 | Mar 13, 2026 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This v | ||
| CVE-2026-30943 | — | < 2.2.4 | 2.2.4 | Mar 13, 2026 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by | ||
| CVE-2026-29084 | — | < 2.2.3 | 2.2.3 | Mar 6, 2026 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly | ||
| CVE-2026-29061 | — | < 2.2.3 | 2.2.3 | Mar 6, 2026 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermMana | ||
| CVE-2026-29060 | — | < 2.2.3 | 2.2.3 | Mar 6, 2026 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be | ||
| CVE-2026-28683 | — | < 2.2.3 | 2.2.3 | Mar 6, 2026 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3. | ||
| CVE-2026-28682 | — | < 2.2.3 | 2.2.3 | Mar 6, 2026 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped | ||
| CVE-2025-48495 | — | >= 1.0.1, <= 1.9.6 | — | Jun 2, 2025 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior | ||
| CVE-2025-48494 | — | >= 1.0.1, <= 1.9.6 | — | Jun 2, 2025 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encryption, a stored cross-site scripting vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every t |
- CVE-2026-30961Mar 13, 2026affected < 2.2.4fixed 2.2.4
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request l
- CVE-2026-30955Mar 13, 2026affected < 2.2.4fixed 2.2.4
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This v
- CVE-2026-30943Mar 13, 2026affected < 2.2.4fixed 2.2.4
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by
- CVE-2026-29084Mar 6, 2026affected < 2.2.3fixed 2.2.3
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly
- CVE-2026-29061Mar 6, 2026affected < 2.2.3fixed 2.2.3
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermMana
- CVE-2026-29060Mar 6, 2026affected < 2.2.3fixed 2.2.3
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be
- CVE-2026-28683Mar 6, 2026affected < 2.2.3fixed 2.2.3
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3.
- CVE-2026-28682Mar 6, 2026affected < 2.2.3fixed 2.2.3
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped
- CVE-2025-48495Jun 2, 2025affected >= 1.0.1, <= 1.9.6
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior
- CVE-2025-48494Jun 2, 2025affected >= 1.0.1, <= 1.9.6
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encryption, a stored cross-site scripting vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every t