7.7

CVE-2026-40188

Exploit

goshs is Missing Write Protection for Parametric Data Values

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GoshsGoshs SwPlatformgo Version >= 1.0.7 < 2.0.0
GoshsGoshs Version2.0.0 Updatebeta1 SwPlatformgo
GoshsGoshs Version2.0.0 Updatebeta2 SwPlatformgo
GoshsGoshs Version2.0.0 Updatebeta3 SwPlatformgo
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.32% 0.233
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.7 3.1 4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
CWE-1314 Missing Write Protection for Parametric Data Values

The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.

https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx
Vendor Advisory
Exploit
https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744
Patch
https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4
Product
Release Notes