CVE-2026-28683

High

Published: 06 March 2026

Published

06 March 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0001 1.1th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28683 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Forceu Gokapi. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 4 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of flaws like the stored XSS in Gokapi prior to v2.2.3 to eliminate the vulnerability.

SI-10 Information Input Validation good match

prevent

Mandates validation of uploaded files to block malicious SVGs containing executable JavaScript from being accepted into the file sharing server.

SI-15 Information Output Filtering good match

prevent

Enforces filtering of outputs when serving SVG hotlinks to neutralize embedded scripts and prevent XSS execution in victims' browsers.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1056.001 Keylogging Collection

Adversaries may log user keystrokes to intercept credentials as the user types them.

attack.mitre.org →

Why these techniques?

Stored XSS via malicious SVG upload enables JS execution in victim browsers (T1059.007), session/cookie theft and hijacking (T1185, T1539), keystroke capture (T1056.001), and exploitation of the web app itself (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched…

in version 2.2.3.

Deeper analysisAI

CVE-2026-28683 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Gokapi, a self-hosted file sharing server that supports automatic expiration and encryption. The flaw exists in versions prior to 2.2.3, where a malicious authenticated user can upload a specially crafted SVG file and generate a hotlink for it, embedding executable JavaScript that persists and executes in the context of other users viewing the hotlink.

An attacker with low-privilege authenticated access (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R) such as a victim clicking or viewing the hotlinked SVG. Successful exploitation changes the scope (S:C), enabling high-impact confidentiality (C:H) and integrity (I:H) violations, such as stealing session cookies, keystrokes, or other sensitive data from affected users' browsers, with no direct availability impact (A:N). The vulnerability carries a CVSS v3.1 base score of 8.7, indicating high severity.

The issue has been addressed in Gokapi version 2.2.3, as detailed in the project's release notes and GitHub Security Advisory GHSA-3c22-5j5m-4jq7. Security practitioners should upgrade to v2.2.3 or later and review uploaded files for SVG content, particularly in multi-user environments, to mitigate risks from existing hotlinks.