Nixpkgs security tracker

Untriaged

Permalink CVE-2026-30961

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): LOW

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an oversized file into chunks each under MaxSize and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global MaxFileSizeMB are accepted regardless of the file request's configured limit. This vulnerability is fixed in 2.2.4.

References

https://github.com/Forceu/Gokapi/security/advisories/GHSA-45vh-rpc8-hxpp x_refsource_CONFIRM
https://github.com/Forceu/Gokapi/releases/tag/v2.2.4 x_refsource_MISC

Affected products

Gokapi

==< 2.2.4

Matching in nixpkgs

pkgs.gokapi

Lightweight selfhosted Firefox Send alternative without public upload

nixos-unstable 2.2.3
- nixpkgs-unstable 2.2.3
- nixos-unstable-small 2.2.4
nixos-25.11 2.1.0
- nixos-25.11-small 2.1.0
- nixpkgs-25.11-darwin 2.1.0

Package maintainers

@delliottxyz Darragh Elliott <me+git@delliott.xyz>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.gokapi

Package maintainers