Description
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.
Published: 2026-04-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Write via Path Traversal
Action: Immediate Patch
AI Analysis

Impact

goshs, a lightweight HTTP server written in Go, allows clients to upload files with the HTTP PUT method without sanitizing the requested pathname. This omission permits an attacker to craft filenames that reference directories outside the intended upload directory, effectively creating or overwriting arbitrary files on the server's filesystem. The resulting vulnerability is a classic path traversal flaw that can compromise data integrity, confidentiality, and potentially enable remote code execution if the written files are executable or are placed in sensitive locations.

Affected Systems

The vulnerability exists in the patrickhener:goshs product and affects all releases prior to 2.0.0‑beta.3, including the 2.0.0‑beta.1 and 2.0.0‑beta.2 builds. The issue was addressed in version 2.0.0‑beta.3, which introduces pathname sanitization and limits upload operations to the designated directory.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is classified as critical; the EPSS score below 1% indicates low current exploitation likelihood, but the vulnerability remains exploitable over an open network via unauthenticated HTTP PUT requests to any publicly reachable goshs instance. The flaw is not listed in the CISA KEV catalog, yet its high severity warrants immediate attention to prevent potential system compromise.

Generated by OpenCVE AI on April 9, 2026 at 23:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pacmanhener's goshs to version 2.0.0‑beta.3 or later to apply the path sanitization fix. Verify that the server’s PUT upload endpoint no longer allows filenames that navigate outside the intended directory.

Generated by OpenCVE AI on April 9, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g8mv-vp7j-qp64 goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
History

Thu, 09 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Goshs
Goshs goshs
CPEs cpe:2.3:a:goshs:goshs:*:*:*:*:*:go:*:*
cpe:2.3:a:goshs:goshs:2.0.0:beta1:*:*:*:go:*:*
cpe:2.3:a:goshs:goshs:2.0.0:beta2:*:*:*:go:*:*
Vendors & Products Goshs
Goshs goshs

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Patrickhener
Patrickhener goshs
Vendors & Products Patrickhener
Patrickhener goshs

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.
Title goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Goshs Goshs
Patrickhener Goshs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T16:19:28.746Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35392

cve-icon Vulnrichment

Updated: 2026-04-07T16:19:25.918Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T21:16:21.013

Modified: 2026-04-09T21:20:20.510

Link: CVE-2026-35392

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:04Z

Weaknesses