Go modules package
github.com/patrickhener/goshs
pkg:golang/github.com/patrickhener/goshs
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42091 | Med | 6.5 | <= 1.1.4 | — | May 4, 2026 | goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * | |
| CVE-2026-40884 | Cri | 9.8 | <= 1.1.4 | — | Apr 21, 2026 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not | |
| CVE-2026-40876 | Hig | 8.8 | <= 1.1.4 | — | Apr 21, 2026 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail bou | |
| CVE-2026-40189 | Cri | 9.8 | <= 1.1.4 | — | Apr 10, 2026 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated at | |
| CVE-2026-40188 | Hig | 7.7 | >= 1.0.7, <= 1.1.4 | — | Apr 10, 2026 | goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4. | |
| CVE-2026-35471 | Cri | 9.8 | < 1.1.5-0.20260401172448-237f3af891a9 | 1.1.5-0.20260401172448-237f3af891a9 | Apr 6, 2026 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3. | |
| CVE-2026-35393 | Cri | 9.8 | < 1.1.5-0.20260401172448-237f3af891a9 | 1.1.5-0.20260401172448-237f3af891a9 | Apr 6, 2026 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3. | |
| CVE-2026-35392 | Cri | 9.8 | < 1.1.5-0.20260401172448-237f3af891a9 | 1.1.5-0.20260401172448-237f3af891a9 | Apr 6, 2026 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3. | |
| CVE-2026-34581 | Hig | 8.1 | >= 1.1.0 | — | Apr 2, 2026 | goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0. | |
| CVE-2025-46816 | Cri | 9.4 | >= 0.3.4, < 1.0.5 | 1.0.5 | May 6, 2025 | goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyo |
- affected <= 1.1.4
goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: *
- affected <= 1.1.4
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not
- affected <= 1.1.4
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail bou
- affected <= 1.1.4
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated at
- affected >= 1.0.7, <= 1.1.4
goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
- affected < 1.1.5-0.20260401172448-237f3af891a9fixed 1.1.5-0.20260401172448-237f3af891a9
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.
- affected < 1.1.5-0.20260401172448-237f3af891a9fixed 1.1.5-0.20260401172448-237f3af891a9
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.
- affected < 1.1.5-0.20260401172448-237f3af891a9fixed 1.1.5-0.20260401172448-237f3af891a9
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.
- affected >= 1.1.0
goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.
- affected >= 0.3.4, < 1.0.5fixed 1.0.5
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyo