CVE-2026-30955

MEDIUM6.5EPSS 0.01%

Gokapi vulnerable to DoS in E2E Metadata Parser

Published: 3/13/2026Modified: 3/24/2026

Description

### Summary An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. ### Impact Any authenticated user can crash the Gokapi server by sending concurrent large payloads.

Affected packages (2)

Go/github.com/forceu/gokapifrom 0, < 2.2.4
Go/github.com/forceu/gokapifrom 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30955
PATCHhttps://github.com/Forceu/Gokapi
WEBhttps://github.com/Forceu/Gokapi/releases/tag/v2.2.4
WEBhttps://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj
WEBhttps://pkg.go.dev/vuln/GO-2026-4698