cbcvebase.
CVE-2025-46816
published 2025-05-06

CVE-2025-46816: goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone…

PriorityP261critical9.4CVSS 3.0
AVNACLPRNUINSUCHIHAL
EPSS
0.60%
44.5th percentile
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.compatrickhener_goshs>= 0.3.4 < 1.0.51.0.5
patrickhenergoshs
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.