Description
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.
Published: 2026-04-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Write
Action: Urgent Patch
AI Analysis

Impact

goshs, a lightweight HTTP server written in Go, is affected by a path traversal vulnerability in its POST multipart upload functionality. The flaw arises because the server does not sanitize filenames supplied in uploads, allowing a crafted request to place files outside the intended upload directory. This flaw can be used to write arbitrary files to the host system, potentially including executable scripts or system configuration files, thereby compromising the confidentiality, integrity, and availability of the server.

Affected Systems

All users running patrickhener:goshs older than version 2.0.0‑beta.3 are affected. The issue is present in every release before this patch and has been fixed in 2.0.0‑beta.3.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating critical severity. The EPSS score is not available and the issue is not listed in CISA’s KEV catalog. The likely attack vector is an unauthenticated HTTP POST request to the upload endpoint, an inference made from the described behavior; no direct evidence of exploitation is provided. Due to the high severity and the ease of exploitation in exposed instances, the risk to affected deployments is significant. Mitigation is achieved by applying the patched version or temporarily disabling the upload feature.

Generated by OpenCVE AI on April 7, 2026 at 02:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 2.0.0‑beta.3 or later.
  • If an upgrade is not immediately possible, remove or disable the HTTP POST upload endpoint.
  • Configure the filesystem to restrict write permissions for the upload directory so that only the application user can write files.
  • Continuously monitor web server logs for unexpected file creation or suspicious upload attempts.

Generated by OpenCVE AI on April 7, 2026 at 02:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jg56-wf8x-qrv5 goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
History

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Patrickhener
Patrickhener goshs
Vendors & Products Patrickhener
Patrickhener goshs

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.
Title Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Patrickhener Goshs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T13:58:10.369Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35393

cve-icon Vulnrichment

Updated: 2026-04-08T13:58:04.726Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-06T21:16:21.163

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:08Z

Weaknesses