CVE-2026-30955
MEDIUMGokapi < 2.2.4 - Authenticated Denial of Service via Unbounded Request Body
Title source: llmDescription
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj
Release Notes x_refsource_misc
https://github.com/Forceu/Gokapi/releases/tag/v2.2.4
Scores
CVSS v3
6.5
EPSS
0.0025
EPSS Percentile
15.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (3)
forceu/gokapi
< 2.2.4
forceu/gokapi
0 - 2.2.4Go
Forceu/Gokapi
< 2.2.4
Published
Mar 13, 2026
Tracked Since
Mar 14, 2026