CVE-2026-35392
published 2026-04-06CVE-2026-35392: goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in…
PriorityP350critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
0.68%
47.9th percentile
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | patrickhener_goshs | >= 0 < 1.1.5-0.20260401172448-237f3af891a9 | 1.1.5-0.20260401172448-237f3af891a9 |
| goshs | goshs | < 2.0.0 | 2.0.0 |
| goshs | goshs | — | — |
| patrickhener | goshs | < 2.0.0-beta.3 | 2.0.0-beta.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
osv·2026-04-03
CVE-2026-35392 [CRITICAL] goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
### Summary
* PUT upload has no path sanitization | `httpserver/updown.go:20-69`
This finding affects the default configuration, no flags or authentication required.
### Details
**File:** `httpserver/updown.go:20-69`
**Trigger:** `PUT /` (server.go:57-59 routes directly to `put()`)
The handler uses `req.URL.Path` raw to build the save path. No `filepath.Clean`, no `..` check, no webroot containment.
```go
func (fs *FileServer) put(w http.ResponseWriter, req *http.Request) {
upath := req.URL.Path // unsanitized
filename := strings.Split(upath, "/")
outName := filename[len(filename)-1]
targetpath := strings.Split(upath, "/")
targetpath = targetpath[:len(targetpath)-1]
target := s
GHSA
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
ghsa·2026-04-03
CVE-2026-35392 [CRITICAL] CWE-22 goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
### Summary
* PUT upload has no path sanitization | `httpserver/updown.go:20-69`
This finding affects the default configuration, no flags or authentication required.
### Details
**File:** `httpserver/updown.go:20-69`
**Trigger:** `PUT /` (server.go:57-59 routes directly to `put()`)
The handler uses `req.URL.Path` raw to build the save path. No `filepath.Clean`, no `..` check, no webroot containment.
```go
func (fs *FileServer) put(w http.ResponseWriter, req *http.Request) {
upath := req.URL.Path // unsanitized
filename := strings.Split(upath, "/")
outName := filename[len(filename)-1]
targetpath := strings.Split(upath, "/")
targetpath = targetpath[:len(targetpath)-1]
target := s
No detection rules found.
No public exploits indexed.
2026-04-06
Published