CVE-2026-35471
published 2026-04-06CVE-2026-35471: goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in…
PriorityP355critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
0.68%
47.9th percentile
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | patrickhener_goshs | >= 0 < 1.1.5-0.20260401172448-237f3af891a9 | 1.1.5-0.20260401172448-237f3af891a9 |
| goshs | goshs | < 2.0.0 | 2.0.0 |
| goshs | goshs | — | — |
| patrickhener | goshs | < 2.0.0-beta.3 | 2.0.0-beta.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
ghsa·2026-04-03
CVE-2026-35471 [CRITICAL] CWE-22 goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
### Summary
* `deleteFile()` missing return after path traversal check | `httpserver/handler.go:645-671`
The finding affects the default configuration, no flags or authentication required.
### Details
**File:** `httpserver/handler.go:645-671`
**Trigger:** `GET /?delete` (handler.go:157-160 dispatches to `deleteFile`)
The function detects `..` in the decoded path but does not `return`.
```go
func (fs *FileServer) deleteFile(w http.ResponseWriter, req *http.Request) {
upath := filepath.FromSlash(filepath.Clean("/" + strings.Trim(req.URL.Path, "/")))
fileCleaned, _ := url.QueryUnescape(upath)
if strings.Contains(fileCleaned, "..") {
w.WriteHeader(500)
_, err := w.Write([]byte("Cannot delete file"))
if e
OSV
goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
osv·2026-04-03
CVE-2026-35471 [CRITICAL] goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
### Summary
* `deleteFile()` missing return after path traversal check | `httpserver/handler.go:645-671`
The finding affects the default configuration, no flags or authentication required.
### Details
**File:** `httpserver/handler.go:645-671`
**Trigger:** `GET /?delete` (handler.go:157-160 dispatches to `deleteFile`)
The function detects `..` in the decoded path but does not `return`.
```go
func (fs *FileServer) deleteFile(w http.ResponseWriter, req *http.Request) {
upath := filepath.FromSlash(filepath.Clean("/" + strings.Trim(req.URL.Path, "/")))
fileCleaned, _ := url.QueryUnescape(upath)
if strings.Contains(fileCleaned, "..") {
w.WriteHeader(500)
_, err := w.Write([]byte("Cannot delete file"))
if e
No detection rules found.
No public exploits indexed.
2026-04-06
Published