Patrick Hener

10 exploits Active since Jul 2020
CVE-2023-22855 NOMISEC CRITICAL WRITEUP
Kardex Mlog MCC 5.7.12+0-a203c2a213-master - Remote Code Execution via Path Traversal and T4 Template Injection
Kardex Mlog MCC 5.7.12+0-a203c2a213-master allows remote code execution. It spawns a web interface listening on port 8088. A user-controllable path is handed to a path-concatenation method (Path.Combine from .NET) without proper sanitisation. This yields the possibility of including local files, as well as remote files on SMB shares. If one provides a file with the extension .t4, it is rendered with the .NET templating engine mono/t4, which can execute code.
CVSS 9.8
CVE-2020-15492 NOMISEC CRITICAL WORKING POC
INNEO Startup TOOLS 12.0.66.3784-13.0.70.3804 - Unauthenticated Path Traversal via sut_srv.exe Web Application
An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact.
CVSS 9.8
CVE-2023-22855 WRITEUP CRITICAL WRITEUP
Kardex Mlog MCC 5.7.12+0-a203c2a213-master - Remote Code Execution via Path Traversal and T4 Template Injection
Kardex Mlog MCC 5.7.12+0-a203c2a213-master allows remote code execution. It spawns a web interface listening on port 8088. A user-controllable path is handed to a path-concatenation method (Path.Combine from .NET) without proper sanitisation. This yields the possibility of including local files, as well as remote files on SMB shares. If one provides a file with the extension .t4, it is rendered with the .NET templating engine mono/t4, which can execute code.
CVSS 9.8
CVE-2026-42091 WRITEUP MEDIUM WRITEUP
goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS
goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2.
CVSS 6.5
CVE-2025-46816 WRITEUP CRITICAL WRITEUP
goshs 0.3.4-1.0.4 - Unauthenticated Remote Code Execution via WebSocket Command Injection
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.
CVSS 9.4
CVE-2026-40188 WRITEUP HIGH WRITEUP
goshs is Missing Write Protection for Parametric Data Values
goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
CVSS 7.7
CVE-2026-40189 WRITEUP CRITICAL WRITEUP
goshs <2.0.0-beta.4 State-Changing Routes - Authorization Bypass
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.
CVSS 9.8
CVE-2026-34581 WRITEUP HIGH WRITEUP
goshs has Auth Bypass via Share Token
goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.
CVSS 8.1
CVE-2023-22855 EXPLOITDB CRITICAL python WORKING POC
Kardex Mlog MCC 5.7.12+0-a203c2a213-master - Remote Code Execution via Path Traversal and T4 Template Injection
Kardex Mlog MCC 5.7.12+0-a203c2a213-master allows remote code execution. It spawns a web interface listening on port 8088. A user-controllable path is handed to a path-concatenation method (Path.Combine from .NET) without proper sanitisation. This yields the possibility of including local files, as well as remote files on SMB shares. If one provides a file with the extension .t4, it is rendered with the .NET templating engine mono/t4, which can execute code.
CVSS 9.8
CVE-2020-15492 EXPLOITDB CRITICAL go WORKING POC
INNEO Startup TOOLS 12.0.66.3784-13.0.70.3804 - Unauthenticated Path Traversal via sut_srv.exe Web Application
An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact.
CVSS 9.8