CVE-2026-35393
published 2026-04-06CVE-2026-35393: goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in…
PriorityP351critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
0.68%
47.9th percentile
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | patrickhener_goshs | >= 0 < 1.1.5-0.20260401172448-237f3af891a9 | 1.1.5-0.20260401172448-237f3af891a9 |
| goshs | goshs | < 2.0.0 | 2.0.0 |
| goshs | goshs | — | — |
| patrickhener | goshs | < 2.0.0-beta.3 | 2.0.0-beta.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
ghsa·2026-04-03
CVE-2026-35393 [CRITICAL] CWE-22 goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
### Summary
* POST multipart upload directory not sanitized | `httpserver/updown.go:71-174`
This finding affect the default configuration, no flags or authentication required.
### Details
**File:** `httpserver/updown.go:71-174`
**Trigger:** `POST //upload` (server.go:49-51 checks `HasSuffix(r.URL.Path, "/upload")`)
The filename is sanitized (slashes stripped, line 105-106), but the target directory comes from `req.URL.Path` unsanitized:
```go
upath := req.URL.Path // unsanitized
targetpath := strings.Split(upath, "/")
targetpath = targetpath[:len(targetpath)-1] // strips trailing "upload"
target := strings.Join(targetpath, "/")
filenameSlice := strings.Split(part.Fil
OSV
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
osv·2026-04-03
CVE-2026-35393 [CRITICAL] goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
### Summary
* POST multipart upload directory not sanitized | `httpserver/updown.go:71-174`
This finding affect the default configuration, no flags or authentication required.
### Details
**File:** `httpserver/updown.go:71-174`
**Trigger:** `POST //upload` (server.go:49-51 checks `HasSuffix(r.URL.Path, "/upload")`)
The filename is sanitized (slashes stripped, line 105-106), but the target directory comes from `req.URL.Path` unsanitized:
```go
upath := req.URL.Path // unsanitized
targetpath := strings.Split(upath, "/")
targetpath = targetpath[:len(targetpath)-1] // strips trailing "upload"
target := strings.Join(targetpath, "/")
filenameSlice := strings.Split(part.Fil
No detection rules found.
No public exploits indexed.
2026-04-06
Published