goshs is Missing Write Protection for Parametric Data Values

7.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Description

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

Basic Information

ID CVE-2026-40188

Source GitHub_M

Published Apr 10, 2026 at 19:43

Affected Product

Vendor patrickhener

Product goshs

Version >= 1.0.7, < 2.0.0-beta.4

Affected Versions patrickhener goshs >= 1.0.7, < 2.0.0-beta.4

CWE Classification

CWE-1314

References

{
    "lastseen": "",
    "description": "goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.",
    "published": "2026-04-10T19:43:45.197Z",
    "modified": "2026-04-10T19:43:45.197Z",
    "type": "cve",
    "title": "goshs is Missing Write Protection for Parametric Data Values",
    "source": "GitHub_M",
    "references": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx\nhttps://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744\nhttps://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4",
    "id": "CVE-2026-40188",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1314"
    ],
    "cvelist": null,
    "sourceData": "patrickhener goshs >= 1.0.7, < 2.0.0-beta.4",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "goshs",
    "version": ">= 1.0.7, < 2.0.0-beta.4",
    "vendor": "patrickhener",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

goshs is Missing Write Protection for Parametric Data Values_CVE-2026-40188