CVE-2026-28683
Received Received - Intake
Stored XSS in Gokapi SVG Upload Allows Malicious Hotlinking

Publication date: 2026-03-06

Last updated on: 2026-03-09

Assigner: GitHub, Inc.

Description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28683
EUVD
EUVD-2026-9993
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
forceu gokapi to 2.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate and most effective mitigation is to upgrade Gokapi to version 2.2.3 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict or disable the ability for authenticated users to upload SVG files or create hotlinks to SVG files.

Implement additional input validation or sanitization on uploaded SVG files to prevent embedded scripts from being executed.

Monitor and audit user uploads and hotlink creation activities to detect and respond to suspicious behavior.

Executive Summary

CVE-2026-28683 is a high-severity stored Cross-Site Scripting (XSS) vulnerability in the Gokapi file sharing server versions prior to 2.2.3.

The vulnerability occurs when an authenticated user uploads an SVG file containing malicious scripts and creates a hotlink to it. Because the application does not properly sanitize or neutralize script elements within the SVG, the malicious JavaScript code can be executed in the context of the application.

This allows an attacker with low privileges (an authenticated user) to execute arbitrary JavaScript remotely, potentially affecting confidentiality and integrity.

Impact Analysis

This vulnerability can lead to the execution of arbitrary JavaScript code within the application context by an authenticated attacker.

  • High impact on confidentiality: sensitive data could be exposed or stolen.
  • High impact on integrity: attacker could manipulate data or application behavior.

There is no impact on availability, but the compromise of confidentiality and integrity can lead to serious security breaches.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying SVG files uploaded by authenticated users that contain malicious script elements or special characters such as <, >, and & that are not properly sanitized.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation, you can search for SVG files on your server and inspect their contents for embedded script tags or suspicious JavaScript code.'}, {'type': 'list_item', 'content': "Use commands to find SVG files: find /path/to/gokapi/uploads -name '*.svg'"}, {'type': 'list_item', 'content': "Use grep or similar tools to search for script tags or suspicious content inside SVG files: grep -r -i '<script' /path/to/gokapi/uploads/*.svg"}, {'type': 'list_item', 'content': 'Monitor web server logs for requests to SVG hotlinks that might indicate exploitation attempts.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28683. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart