logo

Database

Server side cross-site scripting In github.com/forceu/gokapi

Description

Gokapi has Stored XSS in SVG Hotlinks

Summary

If a malicious authenticated user uploads SVG and creates a hotlink for it, they achieve stored XSS.

Details

The hotlinking functionality fails to properly handle scripts included in the SVGs, allowing authenticated attackers with the ability to upload and hotlink file to execute arbitrary JS.

Issue found by aisafe.io

Impact

Authenticated attackers with the ability to upload and hotlink files can execute arbitrary JavaScript.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-286832. NVD-2026-286833. OSV-2026-286834. GHSA-3c22-5j5m-4jq75. GCVE-2026-28683

References

1. https://github.com/Forceu/Gokapi/security/advisories/GHSA-3c22-5j5m-4jq72. https://github.com/Forceu/Gokapi/releases/tag/v2.2.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.