CVE-2026-30955

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Forceu/Gokapi/releases/tag/v2.2.4	Product Release Notes
https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-13 19:54

Updated : 2026-03-17 13:46

NVD link : CVE-2026-30955

Mitre link : CVE-2026-30955

CVE.ORG link : CVE-2026-30955

JSON object : View

Products Affected

forceu

gokapi

CWE

CWE-400

Uncontrolled Resource Consumption

6.5 /10