NIXPKGS-2026-0642

GitHub issue published 3 months, 1 week ago

Permalink CVE-2026-30955

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 3 months, 1 week ago by @LeSuisse Activity log

Created suggestion 3 months, 1 week ago
@LeSuisse accepted 3 months, 1 week ago
@LeSuisse published on GitHub 3 months, 1 week ago

Gokapi vulnerable to DoS in E2E Metadata Parser

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4.

References

https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj x_refsource_CONFIRM
https://github.com/Forceu/Gokapi/releases/tag/v2.2.4 x_refsource_MISC

Affected products

Gokapi

==< 2.2.4

Matching in nixpkgs

pkgs.gokapi

Lightweight selfhosted Firefox Send alternative without public upload

nixos-unstable 2.2.3
- nixpkgs-unstable 2.2.3
- nixos-unstable-small 2.2.4

Package maintainers

@delliottxyz Darragh Elliott <me+git@delliott.xyz>

Upstream advisory: https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0642

References

Affected products

Matching in nixpkgs

pkgs.gokapi

Package maintainers