9.8

CVE-2026-40884

Exploit

goshs: Empty-username SFTP password authentication bypass in goshs

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. This vulnerability is fixed in 2.0.0-beta.6.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GoshsGoshs SwPlatformgo Version < 2.0.0
GoshsGoshs Version2.0.0 Updatebeta1 SwPlatformgo
GoshsGoshs Version2.0.0 Updatebeta2 SwPlatformgo
GoshsGoshs Version2.0.0 Updatebeta3 SwPlatformgo
GoshsGoshs Version2.0.0 Updatebeta4 SwPlatformgo
GoshsGoshs Version2.0.0 Updatebeta5 SwPlatformgo
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.48% 0.374
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/patrickhener/goshs/security/advisories/GHSA-c29w-qq4m-2gcv
Vendor Advisory
Exploit