CVE-2025-48494 – github.com/forceu/gokapi

Package

Manager: go
Name: github.com/forceu/gokapi
Vulnerable Version: >=1.0.1 <=1.9.6 || >=0 <0.0.0-20250530191232-343cc566cfd7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:H/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

EPSS: 0.00026 pctl0.05504

Details

Gokapi vulnerable to stored XSS via uploading file with malicious file name ### Impact When using end-to-end encryption, a stored XSS vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens the upload list, the script is then parsed. With the affected versions <v2.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users with <v2.0. Nethertheless with XSS, other attack vectors like redirection or crypto mining would be possble. ### Patches This CVE has been fixed in v2.0.0 ### Workarounds If you are the only authenticated user using Gokapi, you are not affected. A workaround would be to disable end-to-end encryption.

Metadata

Created: 2025-06-03T06:28:08Z
Modified: 2025-08-26T20:09:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-95rc-wc32-gm53/GHSA-95rc-wc32-gm53.json
CWE IDs: ["CWE-79", "CWE-87"]
Alternative ID: GHSA-95rc-wc32-gm53
Finding: F425
Auto approve: 1