VYPR

rpm package

opensuse/goshs&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/goshs&distro=openSUSE%20Tumbleweed

Vulnerabilities (5)

  • CVE-2026-40189CriApr 10, 2026
    affected < 2.0.0-1.1fixed 2.0.0-1.1

    goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated at

  • CVE-2026-40188HigApr 10, 2026
    affected < 2.0.0-1.1fixed 2.0.0-1.1

    goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

  • CVE-2026-35471CriApr 6, 2026
    affected < 2.0.0-1.1fixed 2.0.0-1.1

    goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.

  • CVE-2026-35393CriApr 6, 2026
    affected < 2.0.0-1.1fixed 2.0.0-1.1

    goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.

  • CVE-2026-35392CriApr 6, 2026
    affected < 2.0.0-1.1fixed 2.0.0-1.1

    goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.