CVE-2026-40188

HIGH

goshs is Missing Write Protection for Parametric Data Values

Title source: cna

Description

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

References (3)

[X_Refsource_Confirm] https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx

[X_Refsource_Misc] https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4

Scores

CVSS v3 7.7

EPSS 0.0003

EPSS Percentile 8.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Details

CWE

CWE-1314

Status published

Products (4)

goshs/goshs 2.0.0 beta1 (3 CPE variants)

goshs/goshs 1.0.7 - 2.0.0

patrickhener/goshs 1.0.7Go

patrickhener/goshs >= 1.0.7, < 2.0.0-beta.4

Published Apr 10, 2026

Tracked Since Apr 11, 2026