CVE-2025-48495

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.0.0

Description Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. The issue allows an authenticated user to inject JS into the API key overview by renaming the friendly name of an API key. This injected JS would be executed when another user clicks on the API tab. Prior to version 2.0.0, all authenticated users could see and modify all resources due to the lack of a user permission system, and the encryption key had to be the same for all users.

Recommendations For versions prior to 2.0.0, update to version 2.0.0 to resolve the issue. As a temporary workaround, consider not opening the API page if it is possible that another user might have injected code.