PT-2026-23603 · Gokapi · Gokapi

Sijisu

Published

2026-03-05

Updated

2026-03-25

CVE-2026-28683

CVSS v3.1

8.7

High

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.3

Description A malicious authenticated user can achieve stored cross-site scripting (XSS) by uploading SVG files and creating a hotlink for them. The hotlinking functionality does not properly handle scripts included in the SVGs, allowing authenticated attackers with file upload and hotlink capabilities to execute arbitrary JavaScript.

Recommendations Update to version 2.2.3 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-28683

GHSA-3C22-5J5M-4JQ7

GO-2026-4612

SUSE-SU-2026:1042-1

Affected Products

Gokapi

PT-2026-23603 · Gokapi · Gokapi

CVE-2026-28683

Weakness Enumeration

Related Identifiers

Affected Products

References · 141