CVE-2025-48494
Gokapi vulnerable to stored XSS via uploading file with malicious file name
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Gokapi vulnerable to stored XSS via uploading file with malicious file name
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encryption, a stored cross-site scripting vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens the upload list, the script is then parsed. Prior to version 2.0.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users using a version prior to 2.0.0. If a user is the only authenticated user using Gokapi, they are not affected. This issue has been fixed in v2.0.0. A possible workaround would be to disable end-to-end encryption.
Reserved 2025-05-22 | Published 2025-06-02 | Updated 2025-06-02 | Assigner GitHub_MCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-87: Improper Neutralization of Alternate XSS Syntax
github.com/...Gokapi/security/advisories/GHSA-95rc-wc32-gm53
github.com/...ommit/343cc566cfd7f4efcd522c92371561d494aed6b0
github.com/Forceu/Gokapi/releases/tag/v2.0.0
Support options
