CRITICAL🇵🇱 Wersja polska

CVE-2026-35393

CVSS 9.8v3.0pub. 2026-04-06upd. 2026-04-09

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.

🤖 AI Analysis
How it works

When handling a POST request with multipart data (file upload), the application does not sanitize the target directory path. An attacker can submit a specially crafted request containing path traversal sequences (e.g., '../'), allowing the file to be written to any location in the file system accessible to the server process. The attack does not require authentication or user interaction.

Impact

An attacker can write arbitrary files to unauthorized locations in the file system, potentially leading to data confidentiality and integrity violations, and in extreme cases — to code execution or system compromise (e.g., by overwriting configuration files or startup scripts).

Mitigation & patch

Goshs should be updated to version 2.0.0-beta.3 or newer, where the vulnerability has been fixed. Until the update is applied, it is recommended to restrict network access to the Goshs instance to trusted hosts only.

Who is affected

Goshs in versions earlier than 2.0.0-beta.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Goshs

    APP
    Goshs
    2.0.0< 2.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2026-40884CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelnienia SFTP w serwerze goshs (auth bypass)

CVE-2026-40903CRITICAL9.1PL ✓ten sam produkt

Goshs: wyciek tokenu GITHUB_TOKEN przez artefakty workflow (ArtiPACKED)

CVE-2026-40189CRITICAL9.3PL ✓ten sam produkt

Authorization bypass w goshs — ominięcie ACL bez uwierzytelnienia

CVE-2026-35471CRITICAL9.8PL ✓ten sam produkt

Path traversal w Goshs — brak return po walidacji ścieżki w deleteFile()

CVE-2026-35392CRITICAL9.8PL ✓ten sam produkt

Path traversal w goshs — brak sanityzacji ścieżki przy PUT upload