Gokapi has Stored XSS in SVG Hotlinks
If a malicious authenticated user uploads SVG and creates a hotlink for it, they achieve stored XSS.
Advisories for Golang/Github.com/Forceu/Gokapi package
2026
Gokapi has privilege escalation with auth token
A registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If you do not have any other users with access to the admin/upload menu, you are not impacted.
Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion
A privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges.
Gokapi has Data Leak in Upload Status Stream
The upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user.
Gokapi has CSRF in Login Endpoint
The login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation. Issue found by aisafe.io
2025
Gokapi vulnerable to stored XSS via uploading file with malicious file name
When using end-to-end encryption, a stored XSS vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens the upload list, the script is then parsed. With the affected versions <v2.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key …
Gokapi has stored XSS vulnerability in friendly name for API keys
By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. With the affected versions <v2.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the …