Detections
Analytics

CVE-2026-30943

medium

Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the deleteNewFile flag, bypassing the requirement for UserPermDeleteOtherUploads. This vulnerability is fixed in 2.2.4.

References

https://github.com/Forceu/Gokapi/security/advisories/GHSA-j6jp-78w8-34x6

https://github.com/Forceu/Gokapi/releases/tag/v2.2.4

Details

Source: Mitre, NVD

Published: 2026-03-13

Updated: 2026-03-17

Risk Information

CVSS v2

Base Score: 3.3

Vector: CVSS2#AV:N/AC:L/Au:M/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 4.1

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00014