CVE-2026-28683 is a stored Cross-Site Scripting (XSS) vulnerability identified in Forceu's Gokapi, a self-hosted file sharing server that supports automatic expiration and encryption. The vulnerability exists in versions prior to 2.2.3, where an authenticated attacker can upload specially crafted SVG files and generate hotlinks to these files. Because SVG files can contain embedded scripts, the server fails to properly neutralize or sanitize the SVG content during web page generation, leading to stored XSS. When other users access the hotlinked SVG, the malicious script executes in their browsers with the privileges of the affected site, potentially allowing session hijacking, theft of sensitive data, or unauthorized actions. The vulnerability requires the attacker to be authenticated and involves user interaction to trigger the payload. The CVSS v3.1 score is 8.7 (high), reflecting network attack vector, low attack complexity, privileges required, user interaction, and high impact on confidentiality and integrity but no impact on availability. The vulnerability has been patched in version 2.2.3 of Gokapi. No known exploits in the wild have been reported as of the publication date. This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation.

The impact of CVE-2026-28683 is significant for organizations using vulnerable versions of Gokapi. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of other users, leading to potential session hijacking, credential theft, or unauthorized actions within the application. This compromises confidentiality and integrity of user data and can facilitate further attacks such as privilege escalation or lateral movement. Since Gokapi is used for file sharing, attackers might leverage this vulnerability to spread malicious payloads or exfiltrate sensitive files. Although exploitation requires authentication, the risk remains high in environments where multiple users have upload permissions or where insider threats exist. The lack of impact on availability means service disruption is unlikely, but the breach of trust and data confidentiality can have severe reputational and compliance consequences.

To mitigate this vulnerability, organizations should immediately upgrade Gokapi to version 2.2.3 or later where the issue is patched. In addition, implement strict input validation and sanitization for all uploaded SVG files, ensuring that any embedded scripts or potentially dangerous content are removed or neutralized before storage or rendering. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and limit sources of executable content. Restrict upload permissions to trusted users only and monitor file uploads for suspicious content. Regularly audit and review user-generated content and hotlinks for malicious payloads. Consider disabling SVG uploads if not required or converting SVGs to safer formats. Finally, educate users about the risks of interacting with untrusted links and maintain up-to-date security monitoring to detect anomalous behavior indicative of exploitation attempts.