logo

Database

Cross-site request forgery In github.com/forceu/gokapi

Description

Gokapi has CSRF in Login Endpoint

Summary

The login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation.

Issue found by aisafe.io

Impact

An attacker can force a victim browser into a session associated with an existing user account where the attacker knows the credentials, causing user confusion, activity misattribution, and potential misuse of trusted user actions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-290842. NVD-2026-290843. OSV-2026-290844. GHSA-hcff-qv74-7hr45. GCVE-2026-29084

References

1. https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr42. https://github.com/Forceu/Gokapi/releases/tag/v2.2.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.