Refine your search
7 vulnerabilities found for by patrickhener
CVE-2026-40189 (GCVE-0-2026-40189)
Vulnerability from cvelistv5
Published
2026-04-10 19:44
Modified
2026-04-13 20:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Version: < 2.0.0-beta.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40189",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T20:52:58.640099Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T20:53:02.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-beta.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder\u0027s auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T19:44:54.672Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx"
},
{
"name": "https://github.com/patrickhener/goshs/commit/f212c4f4a126556bab008f79758e21a839ef2c0f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/commit/f212c4f4a126556bab008f79758e21a839ef2c0f"
},
{
"name": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4"
}
],
"source": {
"advisory": "GHSA-wvhv-qcqf-f3cx",
"discovery": "UNKNOWN"
},
"title": "goshs has a file-based ACL authorization bypass in goshs state-changing routes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40189",
"datePublished": "2026-04-10T19:44:54.672Z",
"dateReserved": "2026-04-09T20:59:17.620Z",
"dateUpdated": "2026-04-13T20:53:02.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40188 (GCVE-0-2026-40188)
Vulnerability from cvelistv5
Published
2026-04-10 19:43
Modified
2026-04-13 15:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1314 - Missing Write Protection for Parametric Data Values
Summary
goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Version: >= 1.0.7, < 2.0.0-beta.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40188",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:28:25.294603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:35:32.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.7, \u003c 2.0.0-beta.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1314",
"description": "CWE-1314: Missing Write Protection for Parametric Data Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T19:43:45.197Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx"
},
{
"name": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744"
},
{
"name": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4"
}
],
"source": {
"advisory": "GHSA-2943-crp8-38xx",
"discovery": "UNKNOWN"
},
"title": "goshs is Missing Write Protection for Parametric Data Values"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40188",
"datePublished": "2026-04-10T19:43:45.197Z",
"dateReserved": "2026-04-09T20:59:17.620Z",
"dateUpdated": "2026-04-13T15:35:32.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35471 (GCVE-0-2026-35471)
Vulnerability from cvelistv5
Published
2026-04-06 21:38
Modified
2026-04-07 16:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Version: < 2.0.0-beta.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35471",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T16:22:40.861310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T16:22:49.068Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-beta.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T21:38:27.657Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8"
}
],
"source": {
"advisory": "GHSA-6qcc-6q27-whp8",
"discovery": "UNKNOWN"
},
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in goshs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35471",
"datePublished": "2026-04-06T21:38:27.657Z",
"dateReserved": "2026-04-02T20:49:44.453Z",
"dateUpdated": "2026-04-07T16:22:49.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35393 (GCVE-0-2026-35393)
Vulnerability from cvelistv5
Published
2026-04-06 20:50
Modified
2026-04-08 13:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Version: < 2.0.0-beta.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35393",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T13:57:06.850226Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T13:58:10.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-beta.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T20:50:25.216Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5"
}
],
"source": {
"advisory": "GHSA-jg56-wf8x-qrv5",
"discovery": "UNKNOWN"
},
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in goshs POST multipart upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35393",
"datePublished": "2026-04-06T20:50:25.216Z",
"dateReserved": "2026-04-02T17:03:42.074Z",
"dateUpdated": "2026-04-08T13:58:10.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35392 (GCVE-0-2026-35392)
Vulnerability from cvelistv5
Published
2026-04-06 20:48
Modified
2026-04-07 16:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Version: < 2.0.0-beta.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35392",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T16:19:16.196298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T16:19:28.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-beta.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T20:48:56.647Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64"
}
],
"source": {
"advisory": "GHSA-g8mv-vp7j-qp64",
"discovery": "UNKNOWN"
},
"title": "goshs has an Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in goshs PUT Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35392",
"datePublished": "2026-04-06T20:48:56.647Z",
"dateReserved": "2026-04-02T17:03:42.074Z",
"dateUpdated": "2026-04-07T16:19:28.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34581 (GCVE-0-2026-34581)
Vulnerability from cvelistv5
Published
2026-04-02 18:04
Modified
2026-04-03 17:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Summary
goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Version: >= 1.1.0, < 2.0.0-beta.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34581",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T16:19:09.570992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T17:01:54.432Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.1.0, \u003c 2.0.0-beta.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T18:04:35.217Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g"
},
{
"name": "https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216"
},
{
"name": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2"
}
],
"source": {
"advisory": "GHSA-jgfx-74g2-9r6g",
"discovery": "UNKNOWN"
},
"title": "goshs has Auth Bypass via Share Token"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34581",
"datePublished": "2026-04-02T18:04:35.217Z",
"dateReserved": "2026-03-30T16:56:30.999Z",
"dateUpdated": "2026-04-03T17:01:54.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-46816 (GCVE-0-2025-46816)
Vulnerability from cvelistv5
Published
2025-05-06 18:41
Modified
2025-05-06 19:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patrickhener | goshs |
Version: >= 0.3.4, < 1.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46816",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T19:18:18.182995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T19:23:18.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.4, \u003c 1.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T18:41:58.035Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm"
},
{
"name": "https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa"
}
],
"source": {
"advisory": "GHSA-rwj2-w85g-5cmm",
"discovery": "UNKNOWN"
},
"title": "goshs route not protected, allows command execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46816",
"datePublished": "2025-05-06T18:41:58.035Z",
"dateReserved": "2025-04-30T19:41:58.133Z",
"dateUpdated": "2025-05-06T19:23:18.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}