CVE-2026-40884

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the GET routes that change state. An attacker can cause authenticated users to unintentionally delete files or create directories by tricking them into visiting a crafted URL, as there is no validatio...

CVE-2026-40903

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUBTOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6...

CVE-2026-40903

CVE-2026-40903 – Goshs ArtiPACKED vulnerability : goshs is a SimpleHTTPServer written in Go. Before 2.0.0-beta.6, it is affected by an ArtiPACKED vulnerability that can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even if the token is not present in the repository source code. ...

CVE-2026-40884

CVE-2026-40884 (goshs) affects the SFTP service in goshs, a Go SimpleHTTPServer. Before 2.0.0-beta.6, starting the server with the documented empty-username basic-auth syntax (for example, -b ':pass' together with -sftp) can bypass SFTP password authentication because no password handler is insta...