goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NGoshs
APPGoshs2.0.0< 2.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
Related vulnerabilities
CVE-2026-40884CRITICAL9.8PL ✓ten sam produkt
Pominięcie uwierzytelnienia SFTP w serwerze goshs (auth bypass)
CVE-2026-40189CRITICAL9.3PL ✓ten sam produkt
Authorization bypass w goshs — ominięcie ACL bez uwierzytelnienia
CVE-2026-35393CRITICAL9.8PL ✓ten sam produkt
Path traversal w Goshs — brak sanityzacji katalogu przy uploadzie plików
CVE-2026-35392CRITICAL9.8PL ✓ten sam produkt
Path traversal w goshs — brak sanityzacji ścieżki przy PUT upload
CVE-2026-35471CRITICAL9.8PL ✓ten sam produkt
Path traversal w Goshs — brak return po walidacji ścieżki w deleteFile()