Description
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.
Published: 2026-04-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote file write enabling arbitrary file creation, potentially leading to code execution
Action: Immediate Patch
AI Analysis

Impact

The goshs SimpleHTTPServer allows an attacker to upload files via a POST multipart request without sanitizing the supplied file path. This oversight permits the creation or overwrite of files outside the intended upload directory, potentially enabling remote code execution or the placement of malicious artifacts on the host. The weakness represents a classic Path Traversal scenario.

Affected Systems

The flaw affects the open‑source goshs server maintained by patrickhener. Any deployment running a version older than 2.0.0‑beta.3 is vulnerable because the POST upload handler did not constrain the pathname. Versions 2.0.0‑beta.3 and later contain the patch that enforces a restricted upload directory.

Risk and Exploitability

With a CVSS score of 9.8, the vulnerability is classified as critical. Although the EPSS score is currently below 1% and the issue is not listed in the CISA KEV catalog, the threat remains significant because an unauthenticated attacker can trigger the flaw via a standard HTTP POST to an exposed server, potentially achieving remote code execution. Administrators should treat this as a high‑risk exposure pending a security update.

Generated by OpenCVE AI on April 9, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the goshs installation to version 2.0.0‑beta.3 or newer.
  • If an upgrade cannot be performed immediately, restrict or disable the POST multipart upload path to prevent traversal attempts.
  • Verify that the upload handler no longer accepts unintended paths by testing uploads or reviewing server logs.

Generated by OpenCVE AI on April 9, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jg56-wf8x-qrv5 goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
History

Thu, 09 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Goshs
Goshs goshs
CPEs cpe:2.3:a:goshs:goshs:*:*:*:*:*:go:*:*
cpe:2.3:a:goshs:goshs:2.0.0:beta1:*:*:*:go:*:*
cpe:2.3:a:goshs:goshs:2.0.0:beta2:*:*:*:go:*:*
Vendors & Products Goshs
Goshs goshs

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Patrickhener
Patrickhener goshs
Vendors & Products Patrickhener
Patrickhener goshs

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.
Title Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Goshs Goshs
Patrickhener Goshs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T13:58:10.369Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35393

cve-icon Vulnrichment

Updated: 2026-04-08T13:58:04.726Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T21:16:21.163

Modified: 2026-04-09T21:20:27.383

Link: CVE-2026-35393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:02Z

Weaknesses