cbcvebase.

Github.Com Patrickhener Goshs vulnerabilities

9 known vulnerabilities affecting github.com/patrickhener_goshs.

Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH3

Vulnerabilities

Page 1 of 1
CVE-2026-40884P2CRITICAL≥ 0, ≤ 1.1.42026-04-14
CVE-2026-40884 [CRITICAL] CWE-306 goshs has an empty-username SFTP password authentication bypass goshs has an empty-username SFTP password authentication bypass ### Summary goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with `-b ':pass'` together with `-sftp`, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFT
ghsa
CVE-2026-40189P2CRITICAL≥ 0, ≤ 1.1.42026-04-10
CVE-2026-40189 [CRITICAL] CWE-862 goshs has a file-based ACL authorization bypass in goshs state-changing routes goshs has a file-based ACL authorization bypass in goshs state-changing routes ### Summary goshs enforces the documented per-folder `.goshs` ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with `PUT`, upload files with multipart `POST /upload`,
ghsa
CVE-2025-46816P2CRITICAL≥ 0.3.4, < 1.0.52025-05-06
CVE-2025-46816 [CRITICAL] CWE-284 goshs route not protected, allows command execution goshs route not protected, allows command execution ### Summary It seems that when running **goshs** without arguments it is possible for anyone to execute commands on the server. This was tested on version **1.0.4** of **goshs**. The command function was introduced in version **0.3.4**. ### Details It seems that the function ```dispatchReadPump``` does not checks the option cli ```-c```, thus allowing anyo
ghsaosv
CVE-2026-40876P2HIGH≥ 0, ≤ 1.1.42026-04-14
CVE-2026-40876 [HIGH] CWE-22 SFTP root escape via prefix-based path validation in goshs SFTP root escape via prefix-based path validation in goshs ### Summary goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. ### Details The SFTP subsystem routes requests through `sftpserver/sft
ghsa
CVE-2026-35471P3CRITICAL≥ 0, < 1.1.5-0.20260401172448-237f3af891a92026-04-03
CVE-2026-35471 [CRITICAL] CWE-22 goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) ### Summary * `deleteFile()` missing return after path traversal check | `httpserver/handler.go:645-671` The finding affects the default configuration, no flags or authentication required. ### Details **File:** `httpserver/handler.go:645-671` **Trigger:** `GET /?delete` (handler.go:157-160 disp
ghsaosv
CVE-2026-35393P3CRITICAL≥ 0, < 1.1.5-0.20260401172448-237f3af891a92026-04-03
CVE-2026-35393 [CRITICAL] CWE-22 goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload ### Summary * POST multipart upload directory not sanitized | `httpserver/updown.go:71-174` This finding affect the default configuration, no flags or authentication required. ### Details **File:** `httpserver/updown.go:71-174` *
ghsaosv
CVE-2026-35392P3CRITICAL≥ 0, < 1.1.5-0.20260401172448-237f3af891a92026-04-03
CVE-2026-35392 [CRITICAL] CWE-22 goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload ### Summary * PUT upload has no path sanitization | `httpserver/updown.go:20-69` This finding affects the default configuration, no flags or authentication required. ### Details **File:** `httpserver/updown.go:20-69` **Trigger:** `PUT /` (server.go:57
ghsaosv
CVE-2026-40188P3HIGH≥ 1.0.7, ≤ 1.1.42026-04-10
CVE-2026-40188 [HIGH] CWE-1314 goshs is Missing Write Protection for Parametric Data Values goshs is Missing Write Protection for Parametric Data Values ### Summary The SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. ### Details Here is the issue: ```go // helper.go:155-215 func cmdFile(root string, r *sftp.Request, ip string, sftpServer *SFTPServer) error { fullPath, err := sanitizePath(r.Filepa
ghsa
CVE-2026-34581P3HIGH≥ 1.1.02026-04-01
CVE-2026-34581 [HIGH] CWE-288 goshs has Auth Bypass via Share Token goshs has Auth Bypass via Share Token ### Summary When using the `Share Token` it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. ### Details The `BasicAuthMiddleware` checks for a `?token=` parameter **before** checking credentials. If the token exists in `SharedLinks`, the request passes through with **no auth check at all**. The handler then processes all que
ghsaosv
Github.Com Patrickhener Goshs vulnerabilities | cvebase