Medium severity6.5NVD Advisory· Published May 4, 2026· Updated May 12, 2026
CVE-2026-42091
CVE-2026-42091
Description
goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/patrickhener/goshs/v2Go | < 2.0.2 | 2.0.2 |
github.com/patrickhener/goshsGo | <= 1.1.4 | — |
Affected products
4- ghsa-coords2 versions
<= 1.1.4+ 1 more
- (no CPE)range: <= 1.1.4
- (no CPE)range: < 2.0.2
Patches
Vulnerability mechanics
References
5- github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32nvdPatchWEB
- github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvmnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-rhf7-wvw3-vjvmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42091ghsaADVISORY
- github.com/patrickhener/goshs/releases/tag/v2.0.2nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.