{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T18:21:56.736","vulnerabilities":[{"cve":{"id":"CVE-2026-30961","sourceIdentifier":"security-advisories@github.com","published":"2026-03-13T19:54:35.903","lastModified":"2026-03-17T13:46:12.297","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an oversized file into chunks each under MaxSize and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global MaxFileSizeMB are accepted regardless of the file request's configured limit. This vulnerability is fixed in 2.2.4."},{"lang":"es","value":"Gokapi es un servidor de intercambio de archivos autoalojado con soporte para expiración automática y cifrado. Antes de la versión 2.2.4, la ruta de finalización de carga por fragmentos para solicitudes de archivos no valida el tamaño total del archivo contra el límite MaxSize por solicitud. Un atacante con un enlace público de solicitud de archivo puede dividir un archivo de tamaño excesivo en fragmentos, cada uno por debajo de MaxSize, y cargarlos secuencialmente, eludiendo por completo la restricción de tamaño. Se aceptan archivos hasta el MaxFileSizeMB global del servidor, independientemente del límite configurado en la solicitud de archivo. Esta vulnerabilidad está corregida en la versión 2.2.4."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-770"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*","versionEndExcluding":"2.2.4","matchCriteriaId":"CE6F3F4D-D449-43DD-BB3D-86F98581926C"}]}]}],"references":[{"url":"https://github.com/Forceu/Gokapi/releases/tag/v2.2.4","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/Forceu/Gokapi/security/advisories/GHSA-45vh-rpc8-hxpp","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}