CVE-2026-40883
published 2026-04-21CVE-2026-40883: goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET…
PriorityP337high8.1CVSS 3.1
AVNACLPRNUIRSUCNIHAH
EPSS
0.14%
4.0th percentile
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. This vulnerability is fixed in 2.0.0-beta.6.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | patrickhener_goshs_v2 | >= 2.0.0-beta.4 < 2.0.0-beta.6 | 2.0.0-beta.6 |
| goshs | goshs | < 2.0.2 | 2.0.2 |
| goshs | goshs | — | — |
| patrickhener | goshs | < 2.0.2 | 2.0.2 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
nvdv4.06.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
patrickhener goshs 2.0.0-beta.4/2.0.0-beta.5 cross-site request forgery (GHSA-jrq5-hg6x-j6g3)
vuldb·2026-04-21·CVSS 6.1
CVE-2026-40883 [MEDIUM] patrickhener goshs 2.0.0-beta.4/2.0.0-beta.5 cross-site request forgery (GHSA-jrq5-hg6x-j6g3)
A vulnerability was found in patrickhener goshs 2.0.0-beta.4/2.0.0-beta.5. It has been classified as problematic. The affected element is an unknown function. This manipulation causes cross-site request forgery.
This vulnerability appears as CVE-2026-40883. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation
ghsa·2026-04-14
CVE-2026-40883 [MEDIUM] CWE-352 goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation
goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation
### Summary
goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as `?delete` and `?mkdir` because goshs relies on HTTP basic auth alone and performs no CSRF, `Origin`, or `Referer` validation for those routes. I reproduced this on `v2.0.0-beta.5`.
### Details
The vulnerable request handling is reachable through normal GET requests:
- `httpserver/handler.go:118-123` dispatches `?mkdir` directly to `handleMkdir()`
- `httpserver/handler.go:180-186` dispatches `?delete` directly to `deleteFile()`
Authentication is enforced only by HTTP basic auth:
- `ht
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-21
Published