goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:NGoshs
APPGoshs2.0.01.0.7 – 2.0.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
Related vulnerabilities
CVE-2026-40884CRITICAL9.8PL ✓ten sam produkt
Pominięcie uwierzytelnienia SFTP w serwerze goshs (auth bypass)
CVE-2026-40903CRITICAL9.1PL ✓ten sam produkt
Goshs: wyciek tokenu GITHUB_TOKEN przez artefakty workflow (ArtiPACKED)
CVE-2026-40189CRITICAL9.3PL ✓ten sam produkt
Authorization bypass w goshs — ominięcie ACL bez uwierzytelnienia
CVE-2026-35393CRITICAL9.8PL ✓ten sam produkt
Path traversal w Goshs — brak sanityzacji katalogu przy uploadzie plików
CVE-2026-35471CRITICAL9.8PL ✓ten sam produkt
Path traversal w Goshs — brak return po walidacji ścieżki w deleteFile()