CVE-2026-30961

Description

### Summary The chunked upload completion path for file requests does not validate the total file size against the per-request `MaxSize` limit. An attacker with a public file request link can split an oversized file into chunks each under `MaxSize` and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global `MaxFileSizeMB` are accepted regardless of the file request's configured limit. ### Impact Any guest with access to a shared file request link can upload files far larger than the administrator-configured size limit, up to the server's global `MaxFileSizeMB`. This allows unauthorized storage consumption, circumvention of administrative resource policies, and potential service disruption through storage exhaustion. No data exposure or privilege escalation occurs.

Affected packages (2)

• Go/github.com/forceu/gokapifrom 0, < 2.2.4
• Go/github.com/forceu/gokapifrom 0

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30961
• PATCHhttps://github.com/Forceu/Gokapi
• WEBhttps://github.com/Forceu/Gokapi/releases/tag/v2.2.4
• WEBhttps://github.com/Forceu/Gokapi/security/advisories/GHSA-45vh-rpc8-hxpp
• WEBhttps://pkg.go.dev/vuln/GO-2026-4695