CVE-2026-28683
📋 TL;DR
This vulnerability allows authenticated attackers to upload malicious SVG files and create hotlinks that execute stored cross-site scripting (XSS) attacks. Users of Gokapi file sharing servers running versions before 2.2.3 are affected. The attack requires authentication but can impact other users who view the malicious content.
💻 Affected Systems
- Gokapi
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious user could steal session cookies, perform actions as other users, deface the application, or redirect users to malicious sites.
Likely Case
Attackers with valid credentials could compromise other user accounts, steal sensitive data, or manipulate the application interface.
If Mitigated
With proper input validation and output encoding, the XSS payload would be neutralized before execution.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.3
Vendor Advisory: https://github.com/Forceu/Gokapi/security/advisories/GHSA-3c22-5j5m-4jq7
Restart Required: Yes
Instructions:
1. Backup your Gokapi configuration and data. 2. Stop the Gokapi service. 3. Download and install version 2.2.3 from the official releases. 4. Restart the Gokapi service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable SVG uploads
allConfigure Gokapi to reject SVG file uploads entirely
Modify Gokapi configuration to add SVG to blocked file types
Restrict hotlink creation
allLimit which users can create hotlinks to uploaded files
Configure user permissions to restrict hotlink creation to trusted administrators only
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Enable web application firewall (WAF) rules specifically targeting XSS in SVG files
🔍 How to Verify
Check if Vulnerable:
Check if Gokapi version is below 2.2.3 in the web interface or configuration filesCheck Version:
Check the Gokapi web interface dashboard or examine the version in the application configurationVerify Fix Applied:
Confirm version 2.2.3 or higher is installed and test SVG upload with XSS payload to ensure it's sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads from authenticated users
- Multiple hotlink creation events in short timeframes
Network Indicators:
- Requests to SVG files with script-like parameters
- Unusual outbound connections from Gokapi server
SIEM Query:
source="gokapi" AND (file_extension="svg" OR file_type="image/svg+xml") AND user_agent NOT IN ["expected_user_agents"]