What is CVE-2025-48494?

CVE-2025-48494 is a vulnerability in Forceu Gokapi, classified under Cross-site Scripting. Published 2025-06-02.

Is CVE-2025-48494 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XSS in Forceu Gokapi

CVE-2025-48494

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encryption, a stored cross-site scripting vulnerability can be exploited by uploading a file with JavaScript code embedded…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (23.1th percentile) — read the EPSS interpretation.

Affected products

Forceu Gokapi — versions < 2.0.0

Weakness classification (CWE)

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

https://github.com/Forceu/Gokapi/security/advisories/GHSA-95rc-wc32-gm53 (x_refsource_CONFIRM)
https://github.com/Forceu/Gokapi/commit/343cc566cfd7f4efcd522c92371561d494aed6b0 (x_refsource_MISC)
https://github.com/Forceu/Gokapi/releases/tag/v2.0.0 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-48494?: CVE-2025-48494 is a vulnerability in Forceu Gokapi, classified under Cross-site Scripting. Published 2025-06-02.
Is CVE-2025-48494 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.