CVE-2025-48494 is a stored cross-site scripting (XSS) vulnerability identified in versions of the Forceu Gokapi self-hosted file sharing server prior to 2.0.0. Gokapi supports automatic expiration and encryption of shared files, including end-to-end encryption (E2EE). The vulnerability arises because the application improperly neutralizes input during web page generation, specifically failing to sanitize JavaScript code embedded within filenames of uploaded files. When a malicious user uploads a file with a crafted filename containing JavaScript code, that code is stored and subsequently executed every time the upload list is viewed by any authenticated user. This stored XSS can lead to script execution in the context of the victim's browser, potentially allowing session hijacking, unauthorized actions, or data theft. Compounding the risk, versions prior to 2.0.0 lack a user permission system, meaning all authenticated users share the same encryption key and have full access to all resources. Therefore, any authenticated user can exploit this vulnerability to affect all other users. If only one user is authenticated, the risk is reduced as there are no other users to attack. The vulnerability is fixed in version 2.0.0, which introduces user permissions and presumably better input sanitization. A temporary workaround is to disable end-to-end encryption, which likely changes how filenames are handled or displayed, mitigating the XSS vector. The CVSS 4.0 base score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction needed. No known exploits are reported in the wild as of publication.

For European organizations using Gokapi versions prior to 2.0.0, this vulnerability poses a moderate risk to confidentiality and integrity of shared files and user sessions. The stored XSS can enable attackers to execute arbitrary scripts in the browsers of authenticated users, potentially leading to session hijacking, credential theft, or unauthorized file access/modification. Since all authenticated users share the same encryption key and permissions, a single compromised user can escalate the impact across the organization’s file sharing environment. This is particularly concerning for organizations handling sensitive or regulated data, such as those in finance, healthcare, or government sectors within Europe. The lack of user permission controls increases the risk of insider threats or lateral movement. Availability impact is limited but could occur if malicious scripts disrupt normal application use. The medium CVSS score reflects these moderate impacts combined with the need for user interaction and authentication. Organizations relying on Gokapi for secure file sharing should consider this vulnerability a notable risk, especially in multi-user deployments.

1. Upgrade to Gokapi version 2.0.0 or later immediately, as this version fixes the vulnerability and introduces user permission controls. 2. If upgrading is not immediately possible, disable end-to-end encryption as a temporary workaround to mitigate the XSS attack vector. 3. Implement strict input validation and output encoding on all user-supplied data, especially filenames, to prevent script injection. 4. Restrict authentication to trusted users only and monitor for unusual activity that could indicate exploitation attempts. 5. Educate users to be cautious when interacting with file lists and uploaded content, especially if unexpected behavior is observed. 6. Employ Content Security Policy (CSP) headers to limit the impact of any injected scripts. 7. Regularly audit and review user permissions and encryption key management to minimize exposure. 8. Monitor vendor advisories and threat intelligence feeds for any emerging exploit attempts or patches.