CVE-2026-28683 - Vulnerability Analysis
HighCVSS: 8.7Last Updated: March 9, 2026
Gokapi - Stored XSS
Overview
Gokapi < 2.2.3 contains a stored XSS caused by malicious authenticated user uploading SVG and creating a hotlink, letting attackers execute scripts on other users, exploit requires user authentication.
Severity & Score
Impact
Authenticated attackers can execute scripts in other users' browsers, potentially stealing data or performing actions on their behalf.
Mitigation
Update to version 2.2.3 or later.
References
Social Media Activity(2 posts)
š CVE-2026-28683 - High (8.7) Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patc... š https://www.thehackerwire.com/vulnerability/CVE-2026-28683/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postš CVE-2026-28683 - High (8.7) Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patc... š https://www.thehackerwire.com/vulnerability/CVE-2026-28683/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-28683
- Severity
- High
- CVSS Score
- 8.7
- Type
- stored_xss
- Status
- unconfirmed
- EPSS
- 1.9%
- Social Posts
- 2
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N