{"id":3505560,"name":"github.com/gotify/server","ecosystem":"go","description":"","homepage":"https://github.com/gotify/server","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/gotify/server","keywords_array":[],"namespace":"github.com/gotify","versions_count":17,"first_release_published_at":"2018-02-21T18:39:46.000Z","latest_release_published_at":"2018-12-12T20:30:59.000Z","latest_release_number":"v1.2.1","last_synced_at":"2026-04-07T10:08:56.628Z","created_at":"2022-04-10T20:36:14.848Z","updated_at":"2026-04-07T10:08:56.629Z","registry_url":"https://pkg.go.dev/github.com/gotify/server","install_command":"go get github.com/gotify/server","documentation_url":"https://pkg.go.dev/github.com/gotify/server#section-documentation","metadata":{},"repo_metadata":{"uuid":"117591846","full_name":"gotify/server","owner":"gotify","description":"A simple server for sending and receiving messages in real-time per WebSocket. (Includes a sleek web-ui)","archived":false,"fork":false,"pushed_at":"2023-01-10T18:27:06.000Z","size":3729,"stargazers_count":8518,"open_issues_count":43,"forks_count":487,"subscribers_count":118,"default_branch":"master","last_synced_at":"2023-03-13T16:02:03.053Z","etag":null,"topics":["api","cloud","free-software","golang","gotify","hosting","javascript","notifications","privacy","react","self-hosted","self-hosting","selfhosted"],"latest_commit_sha":null,"homepage":"https://gotify.net","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"logo_url":null,"metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null},"funding":{"github":"jmattheis","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":"https://jmattheis.de/donate"}},"created_at":"2018-01-15T20:25:27.000Z","updated_at":"2023-03-13T15:10:06.000Z","dependencies_parsed_at":"2023-02-08T19:45:59.758Z","dependency_job_id":null,"html_url":"https://github.com/gotify/server","commit_stats":null,"repository_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gotify%2Fserver","tags_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gotify%2Fserver/tags","manifests_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gotify%2Fserver/manifests","owner_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gotify","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":108921946,"host_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names"},"owner_record":{"login":"gotify","name":"Gotify","uuid":"36410427","kind":"organization","description":"A self-hosted push notification service.","email":null,"website":"https://gotify.net","location":null,"twitter":null,"company":null,"avatar_url":"https://avatars.githubusercontent.com/u/36410427?v=4","repositories_count":11,"last_synced_at":"2023-03-02T13:45:20.573Z","metadata":{"has_sponsors_listing":false},"owner_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gotify"},"tags":[{"name":"v2.2.4","sha":"9d4e37aa87e5aea5d04b9a6285ca807099c46fbd","kind":"commit","published_at":"2023-01-10T18:14:41.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.2.4","html_url":"https://github.com/gotify/server/releases/tag/v2.2.4"},{"name":"v2.2.3","sha":"5852bbb4ac038bb8f060508d29f6e5288cf1b84f","kind":"commit","published_at":"2023-01-10T17:41:36.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.2.3","html_url":"https://github.com/gotify/server/releases/tag/v2.2.3"},{"name":"v2.2.2","sha":"056cd5ecb7f30d9d4feacb2e79c904c71fdbb066","kind":"commit","published_at":"2022-12-29T12:03:02.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.2.2","html_url":"https://github.com/gotify/server/releases/tag/v2.2.2"},{"name":"v2.2.1","sha":"022603ddf92d43d23dd3f70ad263591e24defda5","kind":"commit","published_at":"2022-12-28T19:38:05.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.2.1","html_url":"https://github.com/gotify/server/releases/tag/v2.2.1"},{"name":"v2.2.0","sha":"c8f78e84694c5998dcb102f2c718b45f25d6a9e1","kind":"commit","published_at":"2022-12-03T10:59:12.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.2.0","html_url":"https://github.com/gotify/server/releases/tag/v2.2.0"},{"name":"v2.1.7","sha":"c4e63863f745c80013ca04ffc07975aa6d0a4f67","kind":"commit","published_at":"2022-09-10T15:11:37.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.1.7","html_url":"https://github.com/gotify/server/releases/tag/v2.1.7"},{"name":"v2.1.6","sha":"c4e63863f745c80013ca04ffc07975aa6d0a4f67","kind":"commit","published_at":"2022-09-10T15:11:37.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.1.6","html_url":"https://github.com/gotify/server/releases/tag/v2.1.6"},{"name":"v2.1.5","sha":"f16ce59e6ca3ac010dae3df1bef279c893e4a870","kind":"commit","published_at":"2022-07-24T08:48:14.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.1.5","html_url":"https://github.com/gotify/server/releases/tag/v2.1.5"},{"name":"v2.1.4","sha":"a23666aaf0d5e251273ec104effd67f7b8a0cfba","kind":"commit","published_at":"2022-01-12T18:00:05.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.1.4","html_url":"https://github.com/gotify/server/releases/tag/v2.1.4"},{"name":"v2.1.3","sha":"89fdb0b9a56690b7d1111783aa4fa73d61831e74","kind":"commit","published_at":"2021-12-04T21:31:51.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.1.3","html_url":"https://github.com/gotify/server/releases/tag/v2.1.3"},{"name":"v2.1.2","sha":"89fdb0b9a56690b7d1111783aa4fa73d61831e74","kind":"commit","published_at":"2021-12-04T21:31:51.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.1.2","html_url":"https://github.com/gotify/server/releases/tag/v2.1.2"},{"name":"v2.1.1","sha":"6b3467b1d72f597134d3c59d6815fb8b589d5503","kind":"commit","published_at":"2021-12-04T20:14:27.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.1.1","html_url":"https://github.com/gotify/server/releases/tag/v2.1.1"},{"name":"v2.1.0","sha":"8affeced49f40a00ab4bd3a9d34a222ce8600ed4","kind":"commit","published_at":"2021-09-27T15:46:12.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.1.0","html_url":"https://github.com/gotify/server/releases/tag/v2.1.0"},{"name":"v2.0.23","sha":"7e261be3046b38fcafb2680b2fb1531482954d02","kind":"commit","published_at":"2021-06-19T09:39:15.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.23","html_url":"https://github.com/gotify/server/releases/tag/v2.0.23"},{"name":"v2.0.22","sha":"11aac90be43f1df88798f6f797d012a385b987c3","kind":"commit","published_at":"2021-04-16T17:42:45.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.22","html_url":"https://github.com/gotify/server/releases/tag/v2.0.22"},{"name":"v2.0.21","sha":"d0f47c738b0d1669e8782f1495bd99f18e7374d4","kind":"commit","published_at":"2021-01-06T14:27:55.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.21","html_url":"https://github.com/gotify/server/releases/tag/v2.0.21"},{"name":"v2.0.20","sha":"1a3ad1d706c6ae42c61e238ae9c02af6f27fe4f5","kind":"commit","published_at":"2020-10-05T20:01:06.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.20","html_url":"https://github.com/gotify/server/releases/tag/v2.0.20"},{"name":"v2.0.19","sha":"4b12b5884607632afb57322ca99fa6b5d39c4dcc","kind":"commit","published_at":"2020-09-12T15:01:11.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.19","html_url":"https://github.com/gotify/server/releases/tag/v2.0.19"},{"name":"v2.0.18","sha":"4b12b5884607632afb57322ca99fa6b5d39c4dcc","kind":"commit","published_at":"2020-09-12T15:01:11.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.18","html_url":"https://github.com/gotify/server/releases/tag/v2.0.18"},{"name":"v2.0.17","sha":"307e61474bfdbcbda4a7a8a31aa4140305f35154","kind":"commit","published_at":"2020-07-18T18:49:49.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.17","html_url":"https://github.com/gotify/server/releases/tag/v2.0.17"},{"name":"v2.0.16","sha":"7523ad0d2e33e7832a5dc875d666db1654bb4e0d","kind":"commit","published_at":"2020-05-09T14:41:53.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.16","html_url":"https://github.com/gotify/server/releases/tag/v2.0.16"},{"name":"v2.0.15","sha":"3f04d50088c8eec70a46547ebaae2269a96a5436","kind":"commit","published_at":"2020-04-26T11:27:24.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.15","html_url":"https://github.com/gotify/server/releases/tag/v2.0.15"},{"name":"v2.0.14","sha":"e56f7bc4c7efdb61fea88a0b65d501277604cefa","kind":"commit","published_at":"2020-02-12T17:21:35.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.14","html_url":"https://github.com/gotify/server/releases/tag/v2.0.14"},{"name":"v2.0.13","sha":"b2b56e09af0ec937a74291d2582cc038fde950e8","kind":"commit","published_at":"2019-12-30T09:26:38.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.13","html_url":"https://github.com/gotify/server/releases/tag/v2.0.13"},{"name":"v2.0.12","sha":"0a7a5cd61928cc33af4dffd70767675d745897ab","kind":"commit","published_at":"2019-11-28T20:39:47.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.12","html_url":"https://github.com/gotify/server/releases/tag/v2.0.12"},{"name":"v2.0.11","sha":"9715ecaeb16475107ba0478640eacd5033531505","kind":"commit","published_at":"2019-10-24T19:35:36.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.11","html_url":"https://github.com/gotify/server/releases/tag/v2.0.11"},{"name":"v2.0.10","sha":"6edfd8400e58cbf51dda76d9e06ccac0471f1c71","kind":"commit","published_at":"2019-10-19T07:42:48.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.10","html_url":"https://github.com/gotify/server/releases/tag/v2.0.10"},{"name":"v2.0.9","sha":"4938a4a0acd999c254082bec9696006f12061c3e","kind":"commit","published_at":"2019-10-13T14:57:35.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.9","html_url":"https://github.com/gotify/server/releases/tag/v2.0.9"},{"name":"v2.0.7","sha":"7cf5c555f5b55e5080cb1f0d06aecd72809bebe8","kind":"commit","published_at":"2019-09-28T19:10:58.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.7","html_url":"https://github.com/gotify/server/releases/tag/v2.0.7"},{"name":"v2.0.8","sha":"7cf5c555f5b55e5080cb1f0d06aecd72809bebe8","kind":"commit","published_at":"2019-09-28T19:10:58.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.8","html_url":"https://github.com/gotify/server/releases/tag/v2.0.8"},{"name":"v2.0.6","sha":"44f4ff31cb771afa551dbf443cf532d075d8dbdb","kind":"commit","published_at":"2019-06-27T17:04:48.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.6","html_url":"https://github.com/gotify/server/releases/tag/v2.0.6"},{"name":"v2.0.5","sha":"909fb80d48f0786e71c97dccbc70c96ccb9f68ab","kind":"commit","published_at":"2019-04-13T15:20:09.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.5","html_url":"https://github.com/gotify/server/releases/tag/v2.0.5"},{"name":"v2.0.4","sha":"e9bbe17fa4f1eec94b742d31f1e760423b1635a8","kind":"commit","published_at":"2019-03-30T10:08:51.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.4","html_url":"https://github.com/gotify/server/releases/tag/v2.0.4"},{"name":"v2.0.3","sha":"e32359ed151c79e07ea5420feeba0a13095afc4d","kind":"commit","published_at":"2019-03-16T10:18:51.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.3","html_url":"https://github.com/gotify/server/releases/tag/v2.0.3"},{"name":"v2.0.2","sha":"6e92bcd8e5f4e09a5f01a1d3dbf8d6c4765d5658","kind":"commit","published_at":"2019-03-10T08:50:28.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.2","html_url":"https://github.com/gotify/server/releases/tag/v2.0.2"},{"name":"v2.0.1","sha":"4814fe8d43b58cb8e8299a08d0ca91351e5846e7","kind":"commit","published_at":"2019-03-02T13:38:02.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.1","html_url":"https://github.com/gotify/server/releases/tag/v2.0.1"},{"name":"v2.0.0","sha":"5a594261ca380ac99fe0eeb2de0cc5c15a5efd77","kind":"commit","published_at":"2019-03-01T21:42:20.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v2.0.0","html_url":"https://github.com/gotify/server/releases/tag/v2.0.0"},{"name":"v1.2.1","sha":"b5b2f19dc2ed19165615719d49b9ad8919537476","kind":"commit","published_at":"2018-12-12T20:30:59.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.2.1","html_url":"https://github.com/gotify/server/releases/tag/v1.2.1"},{"name":"v1.2.0","sha":"ec2c3da9d4e54c5bd12dd78430398b8ef092d99d","kind":"commit","published_at":"2018-11-24T10:31:32.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.2.0","html_url":"https://github.com/gotify/server/releases/tag/v1.2.0"},{"name":"v1.1.8","sha":"29e0857365dc6004ff91fdee568f5b478222cd5f","kind":"commit","published_at":"2018-11-06T20:38:15.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.1.8","html_url":"https://github.com/gotify/server/releases/tag/v1.1.8"},{"name":"v1.1.7","sha":"22fc8c80182b8da2a5853d954eccbdc52daa4e35","kind":"commit","published_at":"2018-09-08T09:45:36.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.1.7","html_url":"https://github.com/gotify/server/releases/tag/v1.1.7"},{"name":"v1.1.6","sha":"16d16eb53999fa2e6fd44da050ee15b6bc2ac9ab","kind":"commit","published_at":"2018-05-10T10:34:35.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.1.6","html_url":"https://github.com/gotify/server/releases/tag/v1.1.6"},{"name":"v1.1.5","sha":"26f36442fd5fe01437f0a23958aa9d872d0079f8","kind":"commit","published_at":"2018-04-18T16:09:10.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.1.5","html_url":"https://github.com/gotify/server/releases/tag/v1.1.5"},{"name":"v1.1.4","sha":"9f5ed344f4443721273ddb0381c1088fe7db166c","kind":"commit","published_at":"2018-04-13T16:56:11.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.1.4","html_url":"https://github.com/gotify/server/releases/tag/v1.1.4"},{"name":"v1.1.3","sha":"13d9350f6d02a6326d561f9f2482d732806e7c1e","kind":"commit","published_at":"2018-03-31T16:44:49.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.1.3","html_url":"https://github.com/gotify/server/releases/tag/v1.1.3"},{"name":"v1.1.2","sha":"d5d19b55bb7141cc68e2171ecca8f8d589d98c74","kind":"commit","published_at":"2018-03-21T16:21:55.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.1.2","html_url":"https://github.com/gotify/server/releases/tag/v1.1.2"},{"name":"v1.1.1","sha":"584d28e3fed4f599ee84b71d9d7729a3c0ed8407","kind":"commit","published_at":"2018-03-20T17:44:18.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.1.1","html_url":"https://github.com/gotify/server/releases/tag/v1.1.1"},{"name":"v1.1.0","sha":"e94ff15bde163065f75cb5d9984dd7a1a808472a","kind":"commit","published_at":"2018-03-18T18:22:27.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.1.0","html_url":"https://github.com/gotify/server/releases/tag/v1.1.0"},{"name":"v1.0.5","sha":"df8ebb9f69414d1bcea489b32577742674341008","kind":"commit","published_at":"2018-03-11T16:58:44.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.0.5","html_url":"https://github.com/gotify/server/releases/tag/v1.0.5"},{"name":"v1.0.4","sha":"a26e2cf21608b3083f1868163072334e774d3cc4","kind":"commit","published_at":"2018-03-10T12:00:55.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.0.4","html_url":"https://github.com/gotify/server/releases/tag/v1.0.4"},{"name":"v1.0.3","sha":"cb8fb2dfc208edd42a725ca6737fffd3aa5beabf","kind":"commit","published_at":"2018-02-28T19:22:25.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.0.3","html_url":"https://github.com/gotify/server/releases/tag/v1.0.3"},{"name":"v1.0.2","sha":"222b7089a9d2bead8cf05c872fa88d64bd7f26ed","kind":"commit","published_at":"2018-02-24T15:05:00.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.0.2","html_url":"https://github.com/gotify/server/releases/tag/v1.0.2"},{"name":"v1.0.1","sha":"fb6bb484a41b3f811ac850a3b28c0417a5d8fa87","kind":"commit","published_at":"2018-02-23T19:39:23.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.0.1","html_url":"https://github.com/gotify/server/releases/tag/v1.0.1"},{"name":"v1.0.0","sha":"a22ace4f7d6d4e0dea8b1b130078573c1404457e","kind":"commit","published_at":"2018-02-21T18:39:46.000Z","download_url":"https://codeload.github.com/gotify/server/tar.gz/v1.0.0","html_url":"https://github.com/gotify/server/releases/tag/v1.0.0"}]},"repo_metadata_updated_at":"2023-03-21T18:40:03.162Z","dependent_packages_count":2,"downloads":null,"downloads_period":null,"dependent_repos_count":3,"rankings":{"downloads":null,"dependent_repos_count":2.915935707173676,"dependent_packages_count":4.177641567392364,"stargazers_count":0.7014184733429707,"forks_count":1.3224356057893,"docker_downloads_count":null,"average":2.2793578384245774},"purl":"pkg:golang/github.com/gotify/server","advisories":[{"uuid":"GSA_kwCzR0hTQS0zMjQ0LThtZmYtdzM5OM4AAw3d","url":"https://github.com/advisories/GHSA-3244-8mff-w398","title":"Reflected XSS in Gotify's /docs via import of outdated Swagger UI","description":"### Impact\n\nGotify exposes an outdated instance of the [Swagger UI](https://swagger.io/tools/swagger-ui/) API documentation frontend at `/docs` which is susceptible to reflected XSS attacks when loading external Swagger config files.\n\nSpecifically, the DOMPurify version included with this version of Swagger UI is vulnerable to a [rendering XSS](https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/) incorporating the mutation payload detailed in [CVE-2020-26870](https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/) which was patched in 2021. This is further tracked in the GitHub Advisory Database as GHSA-QRMM-W75W-3WPX.\n\nAn attacker can execute arbitrary JavaScript and potentially take over the account of the user that clicked the link. Keep in mind, the Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify.\n\n### Patches\n\nThe vulnerability has been fixed in version 2.2.3.\n\n### References\n\nhttps://github.com/gotify/server/pull/541","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2023-01-10T22:48:43.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/gotify/server/security/advisories/GHSA-3244-8mff-w398","https://github.com/gotify/server/pull/541","https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/","https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/","https://github.com/advisories/GHSA-3244-8mff-w398"],"source_kind":"github","identifiers":["GHSA-3244-8mff-w398"],"repository_url":"https://github.com/gotify/server","blast_radius":0.0,"created_at":"2023-01-10T23:03:14.294Z","updated_at":"2026-04-05T20:09:18.684Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zMjQ0LThtZmYtdzM5OM4AAw3d","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS0zMjQ0LThtZmYtdzM5OM4AAw3d","packages":[{"ecosystem":"go","package_name":"github.com/gotify/server","versions":[{"first_patched_version":"2.2.3","vulnerable_version_range":"\u003c= 2.2.2"}],"purl":"pkg:go/github.com%2Fgotify%2Fserver"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zMjQ0LThtZmYtdzM5OM4AAw3d/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS14djZ4LTQ1NnYtMjR4aM4AAwqM","url":"https://github.com/advisories/GHSA-xv6x-456v-24xh","title":"gotify/server vulnerable to Cross-site Scripting in the application image file upload","description":"### Impact\n\nThe XSS vulnerability allows authenticated users to upload .html files. With that, an attacker could execute client side scripts **if** another user opened a link, such as:\n\n```\nhttps://push.example.org/image/[alphanumeric string].html\n```\n\nAn attacker could potentially take over the account of the user that clicked the link. Keep in mind, the Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify.\n\n### Patches\n\nThe vulnerability has been fixed in version 2.2.2.\n\n### Workarounds\n\nYou can block access to non image files via a reverse proxy in the `./image` directory.\n\n### References\n\nhttps://github.com/gotify/server/pull/534\nhttps://github.com/gotify/server/pull/535\n\n---\n\nThanks to rickshang (aka 无在无不在) for discovering and reporting this bug.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-12-30T00:58:09.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":4.6,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N","references":["https://github.com/gotify/server/security/advisories/GHSA-xv6x-456v-24xh","https://nvd.nist.gov/vuln/detail/CVE-2022-46181","https://github.com/gotify/server/pull/534","https://github.com/gotify/server/pull/535","https://github.com/advisories/GHSA-xv6x-456v-24xh"],"source_kind":"github","identifiers":["GHSA-xv6x-456v-24xh","CVE-2022-46181"],"repository_url":"https://github.com/gotify/server","blast_radius":0.0,"created_at":"2022-12-30T01:03:09.177Z","updated_at":"2026-04-05T20:09:21.644Z","epss_percentage":0.00397,"epss_percentile":0.59943,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14djZ4LTQ1NnYtMjR4aM4AAwqM","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS14djZ4LTQ1NnYtMjR4aM4AAwqM","packages":[{"ecosystem":"go","package_name":"github.com/gotify/server","versions":[{"first_patched_version":"2.2.2","vulnerable_version_range":"\u003c= 2.2.1"}],"purl":"pkg:go/github.com%2Fgotify%2Fserver"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14djZ4LTQ1NnYtMjR4aM4AAwqM/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/go/github.com/gotify/server","docker_dependents_count":1,"docker_downloads_count":39065731,"usage_url":"https://repos.ecosyste.ms/usage/go/github.com/gotify/server","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/go/github.com/gotify/server/dependencies","status":null,"funding_links":["https://github.com/sponsors/jmattheis","https://jmattheis.de/donate"],"critical":null,"issue_metadata":{"last_synced_at":"2023-05-29T22:46:35.005Z","issues_count":91,"pull_requests_count":17,"avg_time_to_close_issue":9784912.716216216,"avg_time_to_close_pull_request":244901.88235294117,"issues_closed_count":74,"pull_requests_closed_count":17,"pull_request_authors_count":8,"issue_authors_count":76,"avg_comments_per_issue":4.626373626373627,"avg_comments_per_pull_request":1.4117647058823528,"merged_pull_requests_count":16,"bot_issues_count":0,"bot_pull_requests_count":0,"past_year_issues_count":60,"past_year_pull_requests_count":17,"past_year_avg_time_to_close_issue":523788.11320754717,"past_year_avg_time_to_close_pull_request":244901.88235294117,"past_year_issues_closed_count":53,"past_year_pull_requests_closed_count":17,"past_year_pull_request_authors_count":8,"past_year_issue_authors_count":50,"past_year_avg_comments_per_issue":3.0166666666666666,"past_year_avg_comments_per_pull_request":1.4117647058823528,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":0,"past_year_merged_pull_requests_count":16},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fgotify%2Fserver/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fgotify%2Fserver/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fgotify%2Fserver/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fgotify%2Fserver/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fgotify%2Fserver/codemeta","maintainers":[]}