CVE-2026-28683
Published
CVSS v3
8.7
HIGH
CVSS v2
N/A
Affected
1
PROJECT
Description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3.
Lightweight selfhosted Firefox Send alternative without public upload. AWS S3 supported.
GitHub