CRITICAL🇵🇱 Wersja polska

CVE-2026-40903

CVSS 9.1v3.1pub. 2026-04-21upd. 2026-05-01

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Goshs

    APP
    Goshs
    2.0.0< 2.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-40884CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelnienia SFTP w serwerze goshs (auth bypass)

CVE-2026-40189CRITICAL9.3PL ✓ten sam produkt

Authorization bypass w goshs — ominięcie ACL bez uwierzytelnienia

CVE-2026-35393CRITICAL9.8PL ✓ten sam produkt

Path traversal w Goshs — brak sanityzacji katalogu przy uploadzie plików

CVE-2026-35392CRITICAL9.8PL ✓ten sam produkt

Path traversal w goshs — brak sanityzacji ścieżki przy PUT upload

CVE-2026-35471CRITICAL9.8PL ✓ten sam produkt

Path traversal w Goshs — brak return po walidacji ścieżki w deleteFile()

CVE-2026-40903 — Goshs — CRITICAL — CVSS 9.1 | CVEbaza.pl