CVE-2026-30961

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.4

Description Gokapi is a self-hosted file sharing server. The chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an oversized file into chunks, each under MaxSize, and upload them sequentially, bypassing the size restriction. Files up to the server's global MaxFileSizeMB are accepted regardless of the file request's configured limit. This allows unauthorized storage consumption, circumvention of administrative resource policies, and potential service disruption through storage exhaustion.

Recommendations Update to version 2.2.4 or later.