CVE-2025-48494

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.0.0

Description Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. A stored cross-site scripting issue can be exploited by uploading a file with JavaScript code embedded in the filename. The script is then parsed after upload and every time someone opens the upload list. Prior to version 2.0.0, all authenticated users could see and modify all resources, even if end-to-end encrypted, due to the lack of a user permission system.

Recommendations For versions prior to 2.0.0, update to version 2.0.0 to resolve the issue. As a temporary workaround, consider disabling end-to-end encryption until the issue is resolved.