{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28683", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-02T21:43:19.927Z", "datePublished": "2026-03-06T04:44:32.546Z", "dateUpdated": "2026-03-06T16:06:43.449Z"}, "containers": {"cna": {"title": "Gokapi: Stored XSS in SVG Hotlinks", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-3c22-5j5m-4jq7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-3c22-5j5m-4jq7"}, {"name": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3"}], "affected": [{"vendor": "Forceu", "product": "Gokapi", "versions": [{"version": "< 2.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:44:32.546Z"}, "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3."}], "source": {"advisory": "GHSA-3c22-5j5m-4jq7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T15:58:13.384293Z", "id": "CVE-2026-28683", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:06:43.449Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28683", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T15:58:13.384293Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:58:14.419Z"}}], "cna": {"title": "Gokapi: Stored XSS in SVG Hotlinks", "source": {"advisory": "GHSA-3c22-5j5m-4jq7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Forceu", "product": "Gokapi", "versions": [{"status": "affected", "version": "< 2.2.3"}]}], "references": [{"url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-3c22-5j5m-4jq7", "name": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-3c22-5j5m-4jq7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "name": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:44:32.546Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28683", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:06:43.449Z", "dateReserved": "2026-03-02T21:43:19.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T04:44:32.546Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*", "matchCriteriaId": "8645BF69-6E20-4571-ABA4-A9C590D032C8", "versionEndExcluding": "2.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3."}, {"lang": "es", "value": "Gokapi es un servidor de intercambio de archivos autoalojado con expiraci\u00f3n autom\u00e1tica y soporte de cifrado. Antes de la versi\u00f3n 2.2.3, si un usuario autenticado malicioso sube un SVG y crea un enlace directo para \u00e9l, puede lograr XSS almacenado. Este problema ha sido parcheado en la versi\u00f3n 2.2.3."}], "id": "CVE-2026-28683", "lastModified": "2026-03-09T18:52:48.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T05:16:38.443", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-3c22-5j5m-4jq7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Gokapi", "source": "cna", "vendor": "Forceu"}, "product": "gokapi", "vendor": "forceu"}], "analysis": {"en": {"generated_at": "2026-04-16T11:36:01.815806+00:00", "value": {"mitigation_remediation": ["Upgrade Gokapi to version 2.2.3 or later to remove the stored XSS flaw", "If an upgrade is not immediately feasible, disable the ability for authenticated users to upload or create hotlinks for SVG files", "Restrict SVG uploads to trusted administrators only and enforce strict content\u2011type validation to reject non\u2011SVG MIME types"], "summary": {"action": "Patch Upgrade", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all versions of the Gokapi self\u2011hosted file sharing server prior to version 2.2.3 released by Forceu. Anyone running Gokapi 2.2.2 or earlier and allowing authenticated uploads of SVG files is susceptible.", "description_and_impact": "A malicious authenticated user can upload a specially crafted SVG file, create a hotlink for it, and cause arbitrary JavaScript to execute in the web browser of any user who views the hotlink. The stored XSS flaw is a classic example of CWE\u201179, allowing attackers to hijack sessions, steal credentials or other sensitive data, and potentially deface the interface. The impact is confined to the victim\u2019s browser session but can undermine trust and allow credential theft for accounts that have access to the system.", "risk_and_exploitability": "With a CVSS score of 8.7 the flaw is considered high severity. The EPSS score is below 1\u202f% and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating a low current exploitation probability and no documented focus by malicious actors. The attack requires an authenticated account, but once an SVG is maliciously crafted, any user viewing the hotlink will trigger the embedded script. The risk to an organization therefore depends on the number of users who may view hotlinked SVGs and the sensitivity of the data accessed through them."}}}}, "created": "2026-03-06T14:55:46.034942+00:00", "updated": "2026-04-16T11:45:26.264120+00:00", "vendors": ["forceu", "forceu$PRODUCT$gokapi"]}