CVE-2026-40189
- EPSS 0.11%
- Veröffentlicht 10.04.2026 19:44:54
- Zuletzt bearbeitet 14.04.2026 20:08:54
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing...
CVE-2026-40188
- EPSS 0.03%
- Veröffentlicht 10.04.2026 19:43:45
- Zuletzt bearbeitet 14.04.2026 20:15:28
goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is ...
CVE-2026-35471
- EPSS 0.11%
- Veröffentlicht 06.04.2026 21:38:27
- Zuletzt bearbeitet 09.04.2026 21:20:35
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.
CVE-2026-35393
- EPSS 0.11%
- Veröffentlicht 06.04.2026 20:50:25
- Zuletzt bearbeitet 09.04.2026 21:20:27
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.
CVE-2026-35392
- EPSS 0.11%
- Veröffentlicht 06.04.2026 20:48:56
- Zuletzt bearbeitet 09.04.2026 21:20:20
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.
CVE-2026-34581
- EPSS 0.03%
- Veröffentlicht 02.04.2026 18:04:35
- Zuletzt bearbeitet 15.04.2026 17:38:30
goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue ha...