Go modules package
github.com/patrickhener/goshs/v2
pkg:golang/github.com/patrickhener/goshs/v2
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42091 | Med | 6.5 | < 2.0.2 | 2.0.2 | May 4, 2026 | goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * | |
| CVE-2026-40885 | Hig | 8.8 | >= 2.0.0-beta.4, < 2.0.0-beta.6 | 2.0.0-beta.6 | Apr 21, 2026 | goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is | |
| CVE-2026-40884 | Cri | 9.8 | < 2.0.0 | 2.0.0 | Apr 21, 2026 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not | |
| CVE-2026-40883 | Hig | 8.1 | >= 2.0.0-beta.4, < 2.0.0-beta.6 | 2.0.0-beta.6 | Apr 21, 2026 | goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete an | |
| CVE-2026-40876 | Hig | 8.8 | < 2.0.0 | 2.0.0 | Apr 21, 2026 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail bou |
- affected < 2.0.2fixed 2.0.2
goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: *
- affected >= 2.0.0-beta.4, < 2.0.0-beta.6fixed 2.0.0-beta.6
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is
- affected < 2.0.0fixed 2.0.0
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not
- affected >= 2.0.0-beta.4, < 2.0.0-beta.6fixed 2.0.0-beta.6
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete an
- affected < 2.0.0fixed 2.0.0
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail bou