Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Gokapi: Authenticated User Can Steal Data with Malicious SVG Upload
CVE-2026-28683
GHSA-3c22-5j5m-4jq7
GHSA-3c22-5j5m-4jq7
Summary
A malicious user with an account on your Gokapi file sharing server can upload a malicious SVG file and create a link to it. This could allow them to steal sensitive data from other users. Update to version 2.2.3 or later to fix this issue.
What to do
- Update github.com forceu to version 2.2.3.
- Update forceu github.com/forceu/gokapi to version 2.2.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | forceu | <= 2.2.3 | 2.2.3 |
| forceu | github.com/forceu/gokapi | <= 2.2.3 | 2.2.3 |
| forceu | gokapi | <= 2.2.3 | – |
Original title
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, the...
Original description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3.
nvd CVSS3.1
8.7
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026