Vulnerability Description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an oversized file into chunks each under MaxSize and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global MaxFileSizeMB are accepted regardless of the file request's configured limit. This vulnerability is fixed in 2.2.4.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Forceu | Gokapi | < 2.2.4 |
Related Weaknesses (CWE)
References
- https://github.com/Forceu/Gokapi/releases/tag/v2.2.4ProductRelease Notes
- https://github.com/Forceu/Gokapi/security/advisories/GHSA-45vh-rpc8-hxppVendor Advisory
FAQ
What is CVE-2026-30961?
CVE-2026-30961 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size...
How severe is CVE-2026-30961?
CVE-2026-30961 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30961?
Check the references section above for vendor advisories and patch information. Affected products include: Forceu Gokapi.