HIGH🇵🇱 Wersja polska

CVE-2026-40188

CVSS 7.7v3.1pub. 2026-04-10upd. 2026-04-14

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
  • Goshs

    APP
    Goshs
    2.0.01.0.7 – 2.0.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-40884CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelnienia SFTP w serwerze goshs (auth bypass)

CVE-2026-40903CRITICAL9.1PL ✓ten sam produkt

Goshs: wyciek tokenu GITHUB_TOKEN przez artefakty workflow (ArtiPACKED)

CVE-2026-40189CRITICAL9.3PL ✓ten sam produkt

Authorization bypass w goshs — ominięcie ACL bez uwierzytelnienia

CVE-2026-35393CRITICAL9.8PL ✓ten sam produkt

Path traversal w Goshs — brak sanityzacji katalogu przy uploadzie plików

CVE-2026-35471CRITICAL9.8PL ✓ten sam produkt

Path traversal w Goshs — brak return po walidacji ścieżki w deleteFile()