VYPR

Go modules package

github.com/patrickhener/goshs/v2

pkg:golang/github.com/patrickhener/goshs/v2

Vulnerabilities (5)

  • CVE-2026-42091MedMay 4, 2026
    affected < 2.0.2fixed 2.0.2

    goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: *

  • CVE-2026-40885HigApr 21, 2026
    affected >= 2.0.0-beta.4, < 2.0.0-beta.6fixed 2.0.0-beta.6

    goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is

  • CVE-2026-40884CriApr 21, 2026
    affected < 2.0.0fixed 2.0.0

    goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not

  • CVE-2026-40883HigApr 21, 2026
    affected >= 2.0.0-beta.4, < 2.0.0-beta.6fixed 2.0.0-beta.6

    goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete an

  • CVE-2026-40876HigApr 21, 2026
    affected < 2.0.0fixed 2.0.0

    goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail bou