Description
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. This vulnerability is fixed in 2.0.0-beta.6.
Published: 2026-04-21
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enabling authenticated file deletion and directory creation
Action: Apply Patch
AI Analysis

Impact

goshs contains a CSRF flaw in its state‑changing HTTP GET routes that allows an attacker to prompt an authenticated browser to perform destructive actions such as deleting files or creating directories. The server trusts only HTTP Basic authentication and performs no CSRF, Origin or Referer validation for these routes, so a malicious link or embedded image can trigger the operations. The primary impact is loss of data and configuration changes conducted with the privileges of the authenticated actor.

Affected Systems

The offender is the open‑source web server goshs, maintained by patrickhener. Versions from 2.0.0‑beta.4 through 2.0.0‑beta.5 are affected. The issue was corrected in version 2.0.0‑beta.6 and later releases.

Risk and Exploitability

The CVSS score of 6.1 classifies the vulnerability as moderate severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, indicating no known active exploitation reports. Exploit requires a victim to be authenticated to the server; an attacker can craft a link containing the ?delete or ?mkdir parameters and lure the victim into clicking it, which would trigger the destructive action without additional credentials. This makes the vulnerability potentially valuable for insiders or attackers who have already compromised a user’s session or device.

Generated by OpenCVE AI on April 22, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade goshs to version 2.0.0‑beta.6 or later, which contains the official patch.
  • If an upgrade cannot be performed immediately, remove or disable the state‑changing ?delete and ?mkdir parameters from the server configuration or restrict access to those endpoints to trusted networks only.
  • Implement additional CSRF defenses such as checking Origin or Referer headers for state‑changing requests, or requiring a CSRF token in POST requests if you maintain the source code.

Generated by OpenCVE AI on April 22, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jrq5-hg6x-j6g3 goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation
History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Patrickhener
Patrickhener goshs
Vendors & Products Patrickhener
Patrickhener goshs

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. This vulnerability is fixed in 2.0.0-beta.6.
Title goshs: CSRF in state-changing GET routes enables authenticated file deletion and directory creation
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Patrickhener Goshs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T20:36:13.233Z

Reserved: 2026-04-15T15:57:41.719Z

Link: CVE-2026-40883

cve-icon Vulnrichment

Updated: 2026-04-21T20:17:09.423Z

cve-icon NVD

Status : Received

Published: 2026-04-21T20:17:01.983

Modified: 2026-04-21T21:16:43.753

Link: CVE-2026-40883

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:27Z

Weaknesses