CVE-2026-40188
published 2026-04-10CVE-2026-40188: goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination…
PriorityP346high7.7CVSS 3.1
AVNACLPRLUINSCCNIHAN
EPSS
0.32%
23.5th percentile
goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | patrickhener_goshs | 1.0.7 – 1.1.4 | — |
| goshs | goshs | — | — |
| goshs | goshs | >= 1.0.7 < 2.0.0 | 2.0.0 |
| patrickhener | goshs | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
patrickhener goshs up to 1.0.6/2.0.0-beta.3 missing write protection for parametric data values (GHSA-2943-crp8-38xx)
vuldb·2026-04-10·CVSS 7.7
CVE-2026-40188 [HIGH] patrickhener goshs up to 1.0.6/2.0.0-beta.3 missing write protection for parametric data values (GHSA-2943-crp8-38xx)
A vulnerability was found in patrickhener goshs up to 1.0.6/2.0.0-beta.3. It has been classified as problematic. This issue affects some unknown processing. The manipulation leads to missing write protection for parametric data values.
This vulnerability is documented as CVE-2026-40188. The attack can be initiated remotely. There is not any exploit available.
Upgrading the affected component is recommended.
GHSA
goshs is Missing Write Protection for Parametric Data Values
ghsa·2026-04-10
CVE-2026-40188 [HIGH] CWE-1314 goshs is Missing Write Protection for Parametric Data Values
goshs is Missing Write Protection for Parametric Data Values
### Summary
The SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP.
### Details
Here is the issue:
```go
// helper.go:155-215
func cmdFile(root string, r *sftp.Request, ip string, sftpServer *SFTPServer) error {
fullPath, err := sanitizePath(r.Filepath, root) // Source: SANITIZED
if err != nil {
return err
}
switch r.Method {
// ...
case "Rename":
err := os.Rename(fullPath, r.Target) // Destination: NOT SANITIZED!
```
### PoC
To exploit just upload a file on the SFTP and rename it to a file with full path.
Currently no key.txt file inside /tmp
``` bash
$ ls key.txt
ls: key.txt: No such file or directory
```
Start the SFTP serve
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xxhttps://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx
2026-04-10
Published