CRITICAL🇵🇱 Wersja polska

CVE-2026-35392

CVSS 9.8v3.0pub. 2026-04-06upd. 2026-04-09

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.

🤖 AI Analysis
How it works

The vulnerability is located in the httpserver/updown.go file responsible for handling PUT requests. When uploading a file, the server does not verify or sanitize the target path provided by the client. An attacker can craft an HTTP PUT request containing path traversal sequences (e.g., '../../../'), which allow writing a file outside the server's designated working directory.

Impact

An attacker can write arbitrary files to any location in the file system accessible to the goshs process, which may lead to violations of confidentiality, integrity and availability of the system — including malicious code execution through overwriting critical configuration or binary files.

Mitigation & patch

Goshs should be updated to version 2.0.0-beta.3 or newer, in which the vulnerability has been fixed. Until the update is applied, it is recommended to restrict network access to the goshs instance only to trusted hosts and disable PUT upload functionality if not required.

Who is affected

Goshs in all versions before 2.0.0-beta.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Goshs

    APP
    Goshs
    2.0.0< 2.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2026-40884CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelnienia SFTP w serwerze goshs (auth bypass)

CVE-2026-40903CRITICAL9.1PL ✓ten sam produkt

Goshs: wyciek tokenu GITHUB_TOKEN przez artefakty workflow (ArtiPACKED)

CVE-2026-40189CRITICAL9.3PL ✓ten sam produkt

Authorization bypass w goshs — ominięcie ACL bez uwierzytelnienia

CVE-2026-35471CRITICAL9.8PL ✓ten sam produkt

Path traversal w Goshs — brak return po walidacji ścieżki w deleteFile()

CVE-2026-35393CRITICAL9.8PL ✓ten sam produkt

Path traversal w Goshs — brak sanityzacji katalogu przy uploadzie plików