Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encryption, a stored cross-site scripting vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens the upload list, the script is then parsed. Prior to version 2.0.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users using a version prior to 2.0.0. If a user is the only authenticated user using Gokapi, they are not affected. This issue has been fixed in v2.0.0. A possible workaround would be to disable end-to-end encryption.

INFO

Published Date :

2025-06-02T11:03:52.689Z

Last Modified :

2025-06-02T13:05:27.835Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-48494 vulnerability.

Vendors Products
Forceu
  • Gokapi
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-48494.

URL Resource
https://github.com/Forceu/Gokapi/commit/343cc566cfd7f4efcd522c92371561d494aed6b0 cve-icon cve-icon
https://github.com/Forceu/Gokapi/releases/tag/v2.0.0 cve-icon cve-icon
https://github.com/Forceu/Gokapi/security/advisories/GHSA-95rc-wc32-gm53 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact