CVE-2026-30961

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L                                    

Vulnerability Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an oversized file into chunks each under MaxSize and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global MaxFileSizeMB are accepted regardless of the file request's configured limit. This vulnerability is fixed in 2.2.4.

Vulnerability Details

Published Date

March 13, 2026

Last Modified

March 17, 2026

CWE ID

CWE-770

Source

NVD

Vendor

Forceu

Product

Gokapi

External References

https://github.com/Forceu/Gokapi/releases/tag/v2.2.4
https://github.com/Forceu/Gokapi/security/advisories/GHSA-45vh-rpc8-hxpp

CVE-2026-30961

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment