CVE-2026-42091 - Vulnerability Details

Description

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2.

Published: 2026-05-04

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

goshs implements a simple HTTP file upload service. In versions prior to 2.0.2 the PUT handler does not enforce CSRF protection, while the OPTIONS preflight handler sends an "Access‑Control‑Allow‑Origin: *" header. As a result, any web page that the victim visits can instruct the victim’s browser to perform a PUT request to the server and upload or overwrite an arbitrary file, thereby modifying the server’s file system. The CWE-352 classification reflects the cross‑site request forgery nature of this flaw.

Affected Systems

The vulnerable code is present in the goshs SimpleHTTPServer package produced by patrickhener. All releases before v2.0.2 contain the flaw; v2.0.2 adds CSRF validation for uploaded files and removes the wildcard CORS header, thereby patching the issue.

Risk and Exploitability

The CVSS score of 6.5 marks it as a medium‑level vulnerability. Because the exploit requires a victim browser to load a malicious site, the attack vector is client‑side; it can bypass network isolation such as localhost or internal networks. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that no public exploits have been reported at the time of assessment. Nonetheless, the ability to write arbitrary files could enable malware deployment or configuration tampering if the server is accessible to unprivileged users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

patrickhener

goshs

affected

Version	Status	Constraints
`< 2.0.2`	affected	—

No data.

Vendor Product Confidence Versions

Patrickhener

Goshs

100%

Version	Status	Scheme	Platform
`[0,2.0.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to goshs version 2.0.2 or later, which implements CSRF protection for PUT uploads and removes the wildcard CORS header
If upgrading immediately is not possible, disable the PUT method on the server or require authentication before allowing file writes
Configure the server to return a stricter CORS policy, such as "Access‑Control‑Allow‑Origin: <trusted‑domain>" or remove the header entirely

Generated by OpenCVE AI on May 4, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32
https://github.com/patrickhener/goshs/releases/tag/v2.0.2
https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm

History

Mon, 04 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Patrickhener Patrickhener goshs
Vendors & Products		Patrickhener Patrickhener goshs

Mon, 04 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2.
Title		goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS
Weaknesses		CWE-352
References		https://github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32 https://github.com/patrickhener/goshs/releases/tag/v2.0.2 https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}`

Subscriptions

Patrickhener Goshs

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-04T17:24:47.890Z

Updated: 2026-05-04T17:24:47.890Z

Reserved: 2026-04-23T19:17:30.566Z

Link: CVE-2026-42091

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-04T18:16:31.210

Modified: 2026-05-04T18:16:31.210

Link: CVE-2026-42091

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-04T19:00:07Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object