Cross-Site Scripting Vulnerability in Gokapi File Sharing Server by Forceu
CVE-2025-48494

4.8MEDIUM

Key Information:

Vendor

Forceu

Status
Gokapi
Vendor
CVE Published:
2 June 2025

What is CVE-2025-48494?

Gokapi, a self-hosted file sharing server, has a vulnerability that allows an attacker to exploit stored cross-site scripting. By uploading a file with JavaScript code embedded in the filename, the script is executed whenever the upload list is accessed. Prior to version 2.0.0, Gokapi lacked a user permission system, allowing all authenticated users to view and modify resources, including those protected by end-to-end encryption. This flaw poses a significant threat to data security and privacy. Users with only one authenticated login are not vulnerable, and the issue has been addressed in version 2.0.0. For those unable to upgrade, disabling end-to-end encryption is a potential workaround.

Affected Version(s)

Gokapi < 2.0.0

References

https://github.com/Forceu/Gokapi/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/Forceu/Gokapi/commit/343cc566cfd7f4efc...
x_refsource_MISC
https://github.com/Forceu/Gokapi/releases/tag/v2.0.0
x_refsource_MISC

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.