Description
goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
Published: 2026-04-10
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Apply Patch
AI Analysis

Impact

The SFTP rename command in goshs sanitizes only the source file path and leaves the destination path unsanitized. An attacker can provide a destination that resolves outside the configured root directory, allowing creation, modification, or deletion of files beyond the intended area. This capability can compromise the confidentiality, integrity, or availability of the server.

Affected Systems

The open‑source SimpleHTTPServer tool called goshs, maintained by Patrick Hener, is affected. Versions from 1.0.7 up to, but not including, 2.0.0‑beta.4 contain the flaw; the issue was addressed in release 2.0.0‑beta.4 and later revisions contain the fix.

Risk and Exploitability

The flaw carries a CVSS score of 7.7, indicating a high impact. The EPSS score is below 1 %, suggesting a low likelihood of exploitation in the wild. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The most probable attack path is via the SFTP rename operation, which requires network access to the SFTP service and typically valid authentication credentials. Limiting or monitoring the SFTP interface reduces the potential for abuse.

Generated by OpenCVE AI on April 14, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to goshs version 2.0.0‑beta.4 or later
  • Confirm the running version to ensure the patch is applied
  • Restrict the SFTP service to trusted hosts or networks
  • If an upgrade cannot be performed immediately, monitor the filesystem for unexpected writes outside the configured root

Generated by OpenCVE AI on April 14, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2943-crp8-38xx goshs is Missing Write Protection for Parametric Data Values
History

Tue, 14 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Goshs
Goshs goshs
CPEs cpe:2.3:a:goshs:goshs:*:*:*:*:*:go:*:*
cpe:2.3:a:goshs:goshs:2.0.0:beta1:*:*:*:go:*:*
cpe:2.3:a:goshs:goshs:2.0.0:beta2:*:*:*:go:*:*
cpe:2.3:a:goshs:goshs:2.0.0:beta3:*:*:*:go:*:*
Vendors & Products Goshs
Goshs goshs

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Patrickhener
Patrickhener goshs
Vendors & Products Patrickhener
Patrickhener goshs

Fri, 10 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
Title goshs is Missing Write Protection for Parametric Data Values
Weaknesses CWE-1314
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Goshs Goshs
Patrickhener Goshs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:35:32.574Z

Reserved: 2026-04-09T20:59:17.620Z

Link: CVE-2026-40188

cve-icon Vulnrichment

Updated: 2026-04-13T15:23:28.408Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T20:16:23.733

Modified: 2026-04-14T20:15:28.567

Link: CVE-2026-40188

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:45:07Z

Weaknesses