Description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4.
Scores
CVSS v3
6.5
EPSS
0.0001
EPSS Percentile
1.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (3)
forceu/gokapi
< 2.2.4
forceu/gokapi
0 - 2.2.4Go
Forceu/Gokapi
< 2.2.4
Published
Mar 13, 2026
Tracked Since
Mar 14, 2026