VDB

CESS-2026-28682

CESS-2026-28682 PUBLISHED CVSS 6.4 MEDIUM

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3.

Risk Scores

CVSS 3.1
6.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Timeline

  • Mar 5, 2026 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›