Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.6
Gokapi login page accepts malicious requests without proper security checks
CVE-2026-29084
GHSA-hcff-qv74-7hr4
GHSA-hcff-qv74-7hr4
Summary
Gokapi's login page does not protect against attackers trying to trick users into submitting credentials to fake websites. This makes it possible for attackers to steal user login information. Upgrade to version 2.2.3 or later to fix this vulnerability.
What to do
- Update github.com forceu to version 2.2.3.
- Update forceu github.com/forceu/gokapi to version 2.2.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | forceu | <= 2.2.3 | 2.2.3 |
| forceu | github.com/forceu/gokapi | <= 2.2.3 | 2.2.3 |
| forceu | gokapi | <= 2.2.3 | – |
Original title
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mech...
Original description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation. This issue has been patched in version 2.2.3.
nvd CVSS3.1
4.6
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026