8.1

CVE-2026-34581

Exploit

EPSS 0.03%
Veröffentlicht 02.04.2026 18:04:35
Zuletzt bearbeitet 15.04.2026 17:38:30
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Goshs ≫ Goshs SwPlatformgo Version >= 1.1.0 < 2.0.0

Goshs ≫ Goshs Version2.0.0 Updatebeta1 SwPlatformgo

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.088

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g

Vendor Advisory

Exploit

https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216

Patch

https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-34581

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34581

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34581

EUVD