cbcvebase.

Patrickhener Goshs vulnerabilities

12 known vulnerabilities affecting patrickhener/goshs.

Total CVEs
12
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH5

Vulnerabilities

Page 1 of 1
CVE-2026-40884P2CRITICALCVSS 9.8fixed in 2.0.0-beta.62026-04-21
CVE-2026-40884 [CRITICAL] CWE-306 CVE-2026-40884: goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authenticat goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated n
nvd
CVE-2026-40189P2CRITICALCVSS 9.8fixed in 2.0.0-beta.42026-04-10
CVE-2026-40189 [CRITICAL] CWE-862 CVE-2026-40189: goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per- goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /u
nvd
CVE-2025-46816P2CRITICALCVSS 9.4v>= 0.3.4, < 1.0.52025-05-06
CVE-2025-46816 [CRITICAL] CWE-77 CVE-2025-46816: goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, run goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version
nvd
CVE-2026-40876P2HIGHCVSS 8.8fixed in 2.0.0-beta.62026-04-21
CVE-2026-40876 [HIGH] CWE-22 CVE-2026-40876: goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem
nvd
CVE-2026-35471P3CRITICALCVSS 9.8fixed in 2.0.0-beta.32026-04-06
CVE-2026-35471 [CRITICAL] CWE-22 CVE-2026-35471: goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.
nvd
CVE-2026-40885P3HIGHCVSS 8.8v>= 2.0.0-beta.4, < 2.0.0-beta.62026-04-21
CVE-2026-40885 [HIGH] CWE-200 CVE-2026-40885: goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers,
nvd
CVE-2026-35393P3CRITICALCVSS 9.8fixed in 2.0.0-beta.32026-04-06
CVE-2026-35393 [CRITICAL] CWE-22 CVE-2026-35393: goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload director goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.
nvd
CVE-2026-35392P3CRITICALCVSS 9.8fixed in 2.0.0-beta.32026-04-06
CVE-2026-35392 [CRITICAL] CWE-22 CVE-2026-35392: goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.
nvd
CVE-2026-40903P3CRITICALCVSS 9.1fixed in 2.0.0-beta.62026-04-21
CVE-2026-40903 [CRITICAL] CWE-829 CVE-2026-40903: goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerabil goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6.
nvd
CVE-2026-40188P3HIGHCVSS 7.7v>= 1.0.7, < 2.0.0-beta.42026-04-10
CVE-2026-40188 [HIGH] CWE-1314 CVE-2026-40188: goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command renam goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
nvd
CVE-2026-34581P3HIGHCVSS 8.1v>= 1.1.0, < 2.0.0-beta.22026-04-02
CVE-2026-34581 [HIGH] CWE-288 CVE-2026-34581: goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when u goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.
nvd
CVE-2026-40883P3HIGHCVSS 8.1fixed in 2.0.22026-04-21
CVE-2026-40883 [HIGH] CWE-352 CVE-2026-40883: goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CS
nvd
Patrickhener Goshs vulnerabilities | cvebase