CRITICAL🇵🇱 Wersja polska

CVE-2026-35471

CVSS 9.8v3.0pub. 2026-04-06upd. 2026-04-09

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.

🤖 AI Analysis
How it works

The deleteFile() function performs path validation checks for path traversal, but does not terminate code execution after detecting an invalid path — there is a missing return statement. As a result, further processing of the request is continued despite negative validation, allowing an attacker to manipulate the path (e.g., using '../' sequences) to escape the server's working directory and operate on arbitrary system files.

Impact

A remote, unauthenticated attacker can read, modify, or delete any files accessible to the server process, leading to violations of data confidentiality, integrity, and availability.

Mitigation & patch

Update Goshs to version 2.0.0-beta.3 or later, in which the vulnerability has been fixed. Details are available in the project repository and in the GHSA-6qcc-6q27-whp8 security advisory.

Who is affected

Goshs (github.com/patrickhener/goshs) in versions prior to 2.0.0-beta.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Goshs

    APP
    Goshs
    2.0.0< 2.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2026-40884CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelnienia SFTP w serwerze goshs (auth bypass)

CVE-2026-40903CRITICAL9.1PL ✓ten sam produkt

Goshs: wyciek tokenu GITHUB_TOKEN przez artefakty workflow (ArtiPACKED)

CVE-2026-40189CRITICAL9.3PL ✓ten sam produkt

Authorization bypass w goshs — ominięcie ACL bez uwierzytelnienia

CVE-2026-35393CRITICAL9.8PL ✓ten sam produkt

Path traversal w Goshs — brak sanityzacji katalogu przy uploadzie plików

CVE-2026-35392CRITICAL9.8PL ✓ten sam produkt

Path traversal w goshs — brak sanityzacji ścieżki przy PUT upload