Lucene search
+L

148 matches found

circl
circl
added 2026/07/01 10:35 p.m.8 views

CVE-2026-50138

creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:05+00:00| published-proof-of-concept| https://github.com/goshs-labs/goshs/security/advisories/GHSA-3whc-qvhv-xqjp...

5.8AI score
Exploits0References1
circl
circl
added 2026/07/01 10:35 p.m.9 views

CVE-2026-50139

creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:03+00:00| published-proof-of-concept| https://github.com/goshs-labs/goshs/security/advisories/GHSA-j48m-h7xq-2xpj...

5.8AI score
Exploits0References1
osv
osv
added 2026/07/01 9:59 p.m.3 views

GHSA-J48M-H7XQ-2XPJ goshs: Share-link ?token=… redemption races past download limit

Share-link ?token=… redemption races past download limit Ecosystem: Go Package: goshs.de/goshs/v2 github.com/patrickhener/goshs Affected: 0 || entry.DownloadLimit == -1 // ...serve file... // = current.DownloadLimit deletefs.SharedLinks, token fs.sharedLinksMu.Unlock Between line 978 RUnlock and...

5.9CVSS5.8AI score
Exploits0References2
osv
osv
added 2026/07/01 9:56 p.m.3 views

GHSA-3WHC-QVHV-XQJP goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags

WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags Ecosystem: Go Package: goshs.de/goshs/v2 github.com/patrickhener/goshs Affected: /tmp/r/x.txt goshs -p 18000 -wp 18001 -w -ro -d /tmp/r -b admin:pw & curl -u admin:pw -X PUT http://localhost:18000/y.txt --data x 403 HT...

8.1CVSS5.8AI score
Exploits0References2
ptsecurity
ptsecurity
added 2026/07/01 12:0 a.m.5 views

PT-2026-55218

Name of the Vulnerable Software and Affected Versions goshs versions prior to 2.0.10 Description A race condition exists in the ShareHandler when processing share-link redemptions. The system reads the DownloadLimit of a share token using a read lock, releases it to serve the file, and only then...

5.9CVSS6AI score
Exploits0References4
redhatcve
redhatcve
added 2026/06/05 7:27 p.m.10 views

CVE-2026-40883

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because...

8.1CVSS5.4AI score0.00143EPSS
Exploits1References1
redhatcve
redhatcve
added 2026/06/05 7:14 p.m.10 views

CVE-2026-40876

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can...

8.8CVSS5.5AI score0.00439EPSS
Exploits1References1
redhatcve
redhatcve
added 2026/06/05 7:13 p.m.9 views

CVE-2026-40903

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUBTOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6...

9.1CVSS5.4AI score0.00245EPSS
Exploits0References1
osv
osv
added 2026/05/20 7:7 p.m.12 views

GO-2026-4953 goshs is Missing Write Protection for Parametric Data Values in github.com/patrickhener/goshs

goshs is Missing Write Protection for Parametric Data Values in github.com/patrickhener/goshs...

7.7CVSS7.3AI score0.00318EPSS
Exploits1References4
ptsecurity
ptsecurity
added 2026/05/20 12:0 a.m.15 views

PT-2026-42366

goshs is Missing Write Protection for Parametric Data Values in github.com/patrickhener/goshs...

7.7CVSS7.3AI score0.00318EPSS
Exploits1References5
veracode
veracode
added 2026/05/14 5:32 p.m.20 views

Path Traversal

github.com/patrickhener/goshs is vulnerable to Path Traversal. The vulnerability is due to a missing return statement in the tdeleteFile function after the path traversal check, which allows an attacker to bypass path validation and perform unauthorized file deletion through crafted traversal pat...

9.8CVSS7.3AI score0.00683EPSS
Exploits1References2Affected Software1
susecve
susecve
added 2026/05/09 2:43 a.m.9 views

SUSE CVE-2026-40883

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because...

8.1CVSS5.8AI score0.00143EPSS
Exploits1References3
susecve
susecve
added 2026/05/06 1:41 a.m.8 views

SUSE CVE-2026-42091

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS...

6.5CVSS5.9AI score0.00165EPSS
Exploits1References3
redhatcve
redhatcve
added 2026/05/05 8:21 p.m.8 views

CVE-2026-42091

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS...

6.5CVSS5.9AI score0.00165EPSS
Exploits1References1
nvd
nvd
added 2026/05/04 6:16 p.m.9 views

CVE-2026-42091

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS...

6.5CVSS0.00165EPSS
Exploits1References3
euvd
euvd
added 2026/05/04 5:24 p.m.10 views

EUVD-2026-27067

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS...

8.1CVSS5.9AI score0.00165EPSS
Exploits2References3
vulnrichment
vulnrichment
added 2026/05/04 5:24 p.m.5 views

CVE-2026-42091 goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS...

6.5CVSS5.9AI score0.00165EPSS
Exploits1References3
attackerkb
attackerkb
added 2026/05/04 5:24 p.m.4 views

CVE-2026-42091

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS...

8.1CVSS5.9AI score0.00165EPSS
Exploits2References4Affected Software1
osv
osv
added 2026/05/04 5:24 p.m.4 views

CVE-2026-42091 goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS...

6.5CVSS6AI score0.00165EPSS
Exploits1References5
cvelist
cvelist
added 2026/05/04 5:24 p.m.69 views

CVE-2026-42091 goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS...

6.5CVSS0.00165EPSS
Exploits1References3
Rows per page
Query Builder