Github.Com Patrickhener Goshs vulnerabilities
9 known vulnerabilities affecting github.com/patrickhener_goshs.
Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH3
Vulnerabilities
Page 1 of 1
CVE-2026-40884P2CRITICAL≥ 0, ≤ 1.1.42026-04-14
CVE-2026-40884 [CRITICAL] CWE-306 goshs has an empty-username SFTP password authentication bypass
goshs has an empty-username SFTP password authentication bypass
### Summary
goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with `-b ':pass'` together with `-sftp`, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFT
ghsa
CVE-2026-40189P2CRITICAL≥ 0, ≤ 1.1.42026-04-10
CVE-2026-40189 [CRITICAL] CWE-862 goshs has a file-based ACL authorization bypass in goshs state-changing routes
goshs has a file-based ACL authorization bypass in goshs state-changing routes
### Summary
goshs enforces the documented per-folder `.goshs` ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with `PUT`, upload files with multipart `POST /upload`,
ghsa
CVE-2025-46816P2CRITICAL≥ 0.3.4, < 1.0.52025-05-06
CVE-2025-46816 [CRITICAL] CWE-284 goshs route not protected, allows command execution
goshs route not protected, allows command execution
### Summary
It seems that when running **goshs** without arguments it is possible for anyone to execute commands on the server. This was tested on version **1.0.4** of **goshs**. The command function was introduced in version **0.3.4**.
### Details
It seems that the function ```dispatchReadPump``` does not checks the option cli ```-c```, thus allowing anyo
ghsaosv
CVE-2026-40876P2HIGH≥ 0, ≤ 1.1.42026-04-14
CVE-2026-40876 [HIGH] CWE-22 SFTP root escape via prefix-based path validation in goshs
SFTP root escape via prefix-based path validation in goshs
### Summary
goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files.
### Details
The SFTP subsystem routes requests through `sftpserver/sft
ghsa
CVE-2026-35471P3CRITICAL≥ 0, < 1.1.5-0.20260401172448-237f3af891a92026-04-03
CVE-2026-35471 [CRITICAL] CWE-22 goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
### Summary
* `deleteFile()` missing return after path traversal check | `httpserver/handler.go:645-671`
The finding affects the default configuration, no flags or authentication required.
### Details
**File:** `httpserver/handler.go:645-671`
**Trigger:** `GET /?delete` (handler.go:157-160 disp
ghsaosv
CVE-2026-35393P3CRITICAL≥ 0, < 1.1.5-0.20260401172448-237f3af891a92026-04-03
CVE-2026-35393 [CRITICAL] CWE-22 goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
### Summary
* POST multipart upload directory not sanitized | `httpserver/updown.go:71-174`
This finding affect the default configuration, no flags or authentication required.
### Details
**File:** `httpserver/updown.go:71-174`
*
ghsaosv
CVE-2026-35392P3CRITICAL≥ 0, < 1.1.5-0.20260401172448-237f3af891a92026-04-03
CVE-2026-35392 [CRITICAL] CWE-22 goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
### Summary
* PUT upload has no path sanitization | `httpserver/updown.go:20-69`
This finding affects the default configuration, no flags or authentication required.
### Details
**File:** `httpserver/updown.go:20-69`
**Trigger:** `PUT /` (server.go:57
ghsaosv
CVE-2026-40188P3HIGH≥ 1.0.7, ≤ 1.1.42026-04-10
CVE-2026-40188 [HIGH] CWE-1314 goshs is Missing Write Protection for Parametric Data Values
goshs is Missing Write Protection for Parametric Data Values
### Summary
The SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP.
### Details
Here is the issue:
```go
// helper.go:155-215
func cmdFile(root string, r *sftp.Request, ip string, sftpServer *SFTPServer) error {
fullPath, err := sanitizePath(r.Filepa
ghsa
CVE-2026-34581P3HIGH≥ 1.1.02026-04-01
CVE-2026-34581 [HIGH] CWE-288 goshs has Auth Bypass via Share Token
goshs has Auth Bypass via Share Token
### Summary
When using the `Share Token` it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec.
### Details
The `BasicAuthMiddleware` checks for a `?token=` parameter **before** checking credentials. If the token exists in `SharedLinks`, the request passes through with **no auth check at all**. The handler then processes all que
ghsaosv