Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
7 vulnerabilities by patrickhener
CVE-2026-40189 (GCVE-0-2026-40189)
Vulnerability from cvelistv5 – Published: 2026-04-10 19:44 – Updated: 2026-04-10 19:44
VLAI?
Title
goshs has a file-based ACL authorization bypass in goshs state-changing routes
Summary
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Affected:
< 2.0.0-beta.4
|
{
"containers": {
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-beta.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder\u0027s auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T19:44:54.672Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx"
},
{
"name": "https://github.com/patrickhener/goshs/commit/f212c4f4a126556bab008f79758e21a839ef2c0f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/commit/f212c4f4a126556bab008f79758e21a839ef2c0f"
},
{
"name": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4"
}
],
"source": {
"advisory": "GHSA-wvhv-qcqf-f3cx",
"discovery": "UNKNOWN"
},
"title": "goshs has a file-based ACL authorization bypass in goshs state-changing routes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40189",
"datePublished": "2026-04-10T19:44:54.672Z",
"dateReserved": "2026-04-09T20:59:17.620Z",
"dateUpdated": "2026-04-10T19:44:54.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40188 (GCVE-0-2026-40188)
Vulnerability from cvelistv5 – Published: 2026-04-10 19:43 – Updated: 2026-04-10 19:43
VLAI?
Title
goshs is Missing Write Protection for Parametric Data Values
Summary
goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
Severity ?
7.7 (High)
CWE
- CWE-1314 - Missing Write Protection for Parametric Data Values
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Affected:
>= 1.0.7, < 2.0.0-beta.4
|
{
"containers": {
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.7, \u003c 2.0.0-beta.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1314",
"description": "CWE-1314: Missing Write Protection for Parametric Data Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T19:43:45.197Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx"
},
{
"name": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744"
},
{
"name": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4"
}
],
"source": {
"advisory": "GHSA-2943-crp8-38xx",
"discovery": "UNKNOWN"
},
"title": "goshs is Missing Write Protection for Parametric Data Values"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40188",
"datePublished": "2026-04-10T19:43:45.197Z",
"dateReserved": "2026-04-09T20:59:17.620Z",
"dateUpdated": "2026-04-10T19:43:45.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35471 (GCVE-0-2026-35471)
Vulnerability from cvelistv5 – Published: 2026-04-06 21:38 – Updated: 2026-04-07 16:22
VLAI?
Title
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs
Summary
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.
Severity ?
9.8 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Affected:
< 2.0.0-beta.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35471",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T16:22:40.861310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T16:22:49.068Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-beta.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T21:38:27.657Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8"
}
],
"source": {
"advisory": "GHSA-6qcc-6q27-whp8",
"discovery": "UNKNOWN"
},
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in goshs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35471",
"datePublished": "2026-04-06T21:38:27.657Z",
"dateReserved": "2026-04-02T20:49:44.453Z",
"dateUpdated": "2026-04-07T16:22:49.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35393 (GCVE-0-2026-35393)
Vulnerability from cvelistv5 – Published: 2026-04-06 20:50 – Updated: 2026-04-08 13:58
VLAI?
Title
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
Summary
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.
Severity ?
9.8 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Affected:
< 2.0.0-beta.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35393",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T13:57:06.850226Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T13:58:10.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-beta.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T20:50:25.216Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5"
}
],
"source": {
"advisory": "GHSA-jg56-wf8x-qrv5",
"discovery": "UNKNOWN"
},
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in goshs POST multipart upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35393",
"datePublished": "2026-04-06T20:50:25.216Z",
"dateReserved": "2026-04-02T17:03:42.074Z",
"dateUpdated": "2026-04-08T13:58:10.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35392 (GCVE-0-2026-35392)
Vulnerability from cvelistv5 – Published: 2026-04-06 20:48 – Updated: 2026-04-07 16:19
VLAI?
Title
goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
Summary
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.
Severity ?
9.8 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Affected:
< 2.0.0-beta.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35392",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T16:19:16.196298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T16:19:28.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-beta.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T20:48:56.647Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64"
}
],
"source": {
"advisory": "GHSA-g8mv-vp7j-qp64",
"discovery": "UNKNOWN"
},
"title": "goshs has an Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in goshs PUT Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35392",
"datePublished": "2026-04-06T20:48:56.647Z",
"dateReserved": "2026-04-02T17:03:42.074Z",
"dateUpdated": "2026-04-07T16:19:28.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34581 (GCVE-0-2026-34581)
Vulnerability from cvelistv5 – Published: 2026-04-02 18:04 – Updated: 2026-04-03 17:01
VLAI?
Title
goshs has Auth Bypass via Share Token
Summary
goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.
Severity ?
8.1 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Affected:
>= 1.1.0, < 2.0.0-beta.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34581",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T16:19:09.570992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T17:01:54.432Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.1.0, \u003c 2.0.0-beta.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T18:04:35.217Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g"
},
{
"name": "https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216"
},
{
"name": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2"
}
],
"source": {
"advisory": "GHSA-jgfx-74g2-9r6g",
"discovery": "UNKNOWN"
},
"title": "goshs has Auth Bypass via Share Token"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34581",
"datePublished": "2026-04-02T18:04:35.217Z",
"dateReserved": "2026-03-30T16:56:30.999Z",
"dateUpdated": "2026-04-03T17:01:54.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-46816 (GCVE-0-2025-46816)
Vulnerability from cvelistv5 – Published: 2025-05-06 18:41 – Updated: 2025-05-06 19:23
VLAI?
Title
goshs route not protected, allows command execution
Summary
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.
Severity ?
9.4 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Affected:
>= 0.3.4, < 1.0.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46816",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T19:18:18.182995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T19:23:18.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.4, \u003c 1.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T18:41:58.035Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm"
},
{
"name": "https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa"
}
],
"source": {
"advisory": "GHSA-rwj2-w85g-5cmm",
"discovery": "UNKNOWN"
},
"title": "goshs route not protected, allows command execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46816",
"datePublished": "2025-05-06T18:41:58.035Z",
"dateReserved": "2025-04-30T19:41:58.133Z",
"dateUpdated": "2025-05-06T19:23:18.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}