Goshs

Goshs

12 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2026-42091

Exploit
  • EPSS 0.17%
  • Veröffentlicht 04.05.2026 17:24:47
  • Zuletzt bearbeitet 12.05.2026 18:34:28

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional ...

9.1

CVE-2026-40903

  • EPSS 0.25%
  • Veröffentlicht 21.04.2026 19:43:36
  • Zuletzt bearbeitet 01.05.2026 16:15:06

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code...

8.8

CVE-2026-40885

Exploit
  • EPSS 0.31%
  • Veröffentlicht 21.04.2026 19:40:37
  • Zuletzt bearbeitet 27.04.2026 14:51:50

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are ...

9.8

CVE-2026-40884

Exploit
  • EPSS 0.48%
  • Veröffentlicht 21.04.2026 19:39:25
  • Zuletzt bearbeitet 27.04.2026 14:55:18

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts t...

8.1

CVE-2026-40883

Exploit
  • EPSS 0.14%
  • Veröffentlicht 21.04.2026 19:35:37
  • Zuletzt bearbeitet 27.04.2026 14:57:06

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destruct...

8.8

CVE-2026-40876

Exploit
  • EPSS 0.44%
  • Veröffentlicht 21.04.2026 19:34:19
  • Zuletzt bearbeitet 24.04.2026 20:38:12

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, whic...

9.8

CVE-2026-40189

Exploit
  • EPSS 0.65%
  • Veröffentlicht 10.04.2026 19:44:54
  • Zuletzt bearbeitet 14.04.2026 20:08:54

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing...

7.7

CVE-2026-40188

Exploit
  • EPSS 0.32%
  • Veröffentlicht 10.04.2026 19:43:45
  • Zuletzt bearbeitet 14.04.2026 20:15:28

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is ...

9.8

CVE-2026-35471

Exploit
  • EPSS 0.68%
  • Veröffentlicht 06.04.2026 21:38:27
  • Zuletzt bearbeitet 09.04.2026 21:20:35

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.

9.8

CVE-2026-35393

Exploit
  • EPSS 0.68%
  • Veröffentlicht 06.04.2026 20:50:25
  • Zuletzt bearbeitet 09.04.2026 21:20:27

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.