Github.Com Patrickhener Goshs V2 vulnerabilities
4 known vulnerabilities affecting github.com/patrickhener_goshs_v2.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-40884P2CRITICAL≥ 0, < 2.0.02026-04-14
CVE-2026-40884 [CRITICAL] CWE-306 goshs has an empty-username SFTP password authentication bypass
goshs has an empty-username SFTP password authentication bypass
### Summary
goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with `-b ':pass'` together with `-sftp`, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFT
ghsa
CVE-2026-40876P2HIGH≥ 0, < 2.0.02026-04-14
CVE-2026-40876 [HIGH] CWE-22 SFTP root escape via prefix-based path validation in goshs
SFTP root escape via prefix-based path validation in goshs
### Summary
goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files.
### Details
The SFTP subsystem routes requests through `sftpserver/sft
ghsa
CVE-2026-40885P3HIGH≥ 2.0.0-beta.4, < 2.0.0-beta.62026-04-14
CVE-2026-40885 [HIGH] CWE-200 goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access
goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access
### Summary
goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to `.goshs`-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request
ghsa
CVE-2026-40883P3MEDIUM≥ 2.0.0-beta.4, < 2.0.0-beta.62026-04-14
CVE-2026-40883 [MEDIUM] CWE-352 goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation
goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation
### Summary
goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as `?delete` and `?mkdir` because goshs relies on HTTP basic
ghsa