Description
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.
Published: 2026-04-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write (Path Traversal)
Action: Apply Patch
AI Analysis

Impact

goshs, a lightweight HTTP server written in Go, contains a flaw in its PUT upload handler that fails to sanitize the supplied pathname. As a result, a client can issue a crafted HTTP PUT request that instructs the server to write a file to any path that the server process can access. This allows an attacker to create new files or overwrite existing ones, potentially altering configuration files, adding malicious scripts, or otherwise modifying the server’s filesystem in a way that could compromise the integrity of the application or host.

Affected Systems

The affected product is goshs, maintained by patrickhener. All releases older than 2.0.0-beta.3 lack the necessary path‑sanitization logic in the upload routine. The issue was addressed in version 2.0.0-beta.3 and later releases. No other vendors or product lines are listed as affected.

Risk and Exploitability

The flaw carries a CVSS score of 9.8, categorizing it as critical. Because the only requirement for exploitation is a crafted HTTP PUT request, it can be performed from any host that can reach the server’s HTTP endpoint. The lack of a known EPSS value and absence from the KEV catalog suggest it has not yet been widely exploited, but the high score and ease of exploitation give it a high likelihood of real‑world impact for exposed instances.

Generated by OpenCVE AI on April 7, 2026 at 02:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade goshs to version 2.0.0-beta.3 or later to eliminate the path traversal issue in the PUT upload feature.
  • If an upgrade is not immediately possible, configure the server or firewall to restrict the HTTP PUT method to trusted IP addresses or disable the method entirely to prevent unauthorized file uploads.
  • Implement network‑level hardening such as firewall rules that limit access to the server’s HTTP port, and enforce authentication on any remaining PUT endpoints to reduce exposure.

Generated by OpenCVE AI on April 7, 2026 at 02:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g8mv-vp7j-qp64 goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Patrickhener
Patrickhener goshs
Vendors & Products Patrickhener
Patrickhener goshs

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.
Title goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Patrickhener Goshs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T16:19:28.746Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35392

cve-icon Vulnrichment

Updated: 2026-04-07T16:19:25.918Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-06T21:16:21.013

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35392

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:09Z

Weaknesses