Description
goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.
Published: 2026-04-02
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass leading to unrestricted access and potential code execution
Action: Apply Patch
AI Analysis

Impact

goshs, a simple HTTP server written in Go, contains an authorization bypass that allows an attacker to use a Share Token to access the full server functionalities, including executing code. The flaw, identified as CWE-288, means that an unauthorized user can retrieve any file or launch commands on the host, compromising confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects all installations of goshs from version 1.1.0 up to but not including version 2.0.0‑beta.2. The product is identified under patrickhener:goshs, and the patch was released in the 2.0.0‑beta.2 release.

Risk and Exploitability

The CVSS score of 8.1 classifies it as high severity; the EPSS score is undisclosed and it is not in the KEV list, but the vulnerability can be triggered by a simple HTTP request providing a Share Token, so remote attackers can execute arbitrary code or exfiltrate data. The lack of public exploitation data does not reduce the threat, as the access vector is likely remote via the web interface.

Generated by OpenCVE AI on April 2, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade goshs to version 2.0.0-beta.2 or later

Generated by OpenCVE AI on April 2, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jgfx-74g2-9r6g goshs has Auth Bypass via Share Token
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Patrickhener
Patrickhener goshs
Vendors & Products Patrickhener
Patrickhener goshs

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.
Title goshs has Auth Bypass via Share Token
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Patrickhener Goshs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T17:01:54.432Z

Reserved: 2026-03-30T16:56:30.999Z

Link: CVE-2026-34581

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T19:21:32.157

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34581

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:17:04Z

Weaknesses