CVE-2026-30955: Gokapi vulnerable to DoS in E2E Metadata Parser

March 13, 2026 (updated March 24, 2026)

An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users.

References

github.com/Forceu/Gokapi
github.com/Forceu/Gokapi/releases/tag/v2.2.4
github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj
github.com/advisories/GHSA-qwc6-vc2v-2ggj
nvd.nist.gov/vuln/detail/CVE-2026-30955
pkg.go.dev/vuln/GO-2026-4698

Code Behaviors & Features

Detect and mitigate CVE-2026-30955 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →