What is CVE-2025-48495?

CVE-2025-48495 is a vulnerability in Forceu Gokapi, classified under Cross-site Scripting. Published 2025-06-02.

Is CVE-2025-48495 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XSS in Forceu Gokapi

CVE-2025-48495

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when a…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (20.0th percentile) — read the EPSS interpretation.

Affected products

Forceu Gokapi — versions < 2.0.0

Weakness classification (CWE)

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

https://github.com/Forceu/Gokapi/security/advisories/GHSA-4xg4-54hm-9j77 (x_refsource_CONFIRM)
https://github.com/Forceu/Gokapi/commit/65ddbc68fbfdf1c80cadb477f4bcbb7f2c4fdbf8 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-48495?: CVE-2025-48495 is a vulnerability in Forceu Gokapi, classified under Cross-site Scripting. Published 2025-06-02.
Is CVE-2025-48495 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.