CVE-2026-28683
Stored XSS in Gokapi SVG Upload Allows Malicious Hotlinking
Publication date: 2026-03-06
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| forceu | gokapi | to 2.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade Gokapi to version 2.2.3 or later, where this vulnerability has been patched.
Until the upgrade can be performed, restrict or disable the ability for authenticated users to upload SVG files or create hotlinks to SVG files.
Implement additional input validation or sanitization on uploaded SVG files to prevent embedded scripts from being executed.
Monitor and audit user uploads and hotlink creation activities to detect and respond to suspicious behavior.
Can you explain this vulnerability to me?
CVE-2026-28683 is a high-severity stored Cross-Site Scripting (XSS) vulnerability in the Gokapi file sharing server versions prior to 2.2.3.
The vulnerability occurs when an authenticated user uploads an SVG file containing malicious scripts and creates a hotlink to it. Because the application does not properly sanitize or neutralize script elements within the SVG, the malicious JavaScript code can be executed in the context of the application.
This allows an attacker with low privileges (an authenticated user) to execute arbitrary JavaScript remotely, potentially affecting confidentiality and integrity.
How can this vulnerability impact me? :
This vulnerability can lead to the execution of arbitrary JavaScript code within the application context by an authenticated attacker.
- High impact on confidentiality: sensitive data could be exposed or stolen.
- High impact on integrity: attacker could manipulate data or application behavior.
There is no impact on availability, but the compromise of confidentiality and integrity can lead to serious security breaches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying SVG files uploaded by authenticated users that contain malicious script elements or special characters such as <, >, and & that are not properly sanitized.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation, you can search for SVG files on your server and inspect their contents for embedded script tags or suspicious JavaScript code.'}, {'type': 'list_item', 'content': "Use commands to find SVG files: find /path/to/gokapi/uploads -name '*.svg'"}, {'type': 'list_item', 'content': "Use grep or similar tools to search for script tags or suspicious content inside SVG files: grep -r -i '<script' /path/to/gokapi/uploads/*.svg"}, {'type': 'list_item', 'content': 'Monitor web server logs for requests to SVG hotlinks that might indicate exploitation attempts.'}] [1]