Lucene search
K

13 matches found

CVE
CVE
added 2026/04/21 7:35 p.m.15 views

CVE-2026-40883

Summary of CVE-2026-40883 (goshs) : A cross-site request forgery in goshs’ state-changing HTTP GET routes allows an attacker to trigger destructive actions (e.g., deleting files, creating directories) on an authenticated victim’s browser because authentication relies only on HTTP basic auth and n...

8.1CVSS5.7AI score0.00143EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/04/21 7:35 p.m.63 views

CVE-2026-40883 goshs: CSRF in state-changing GET routes enables authenticated file deletion and directory creation

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because...

6.1CVSS0.00143EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/14 10:28 p.m.28 views

goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation

Summary goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or...

8.1CVSS5.8AI score0.00143EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/14 1:22 a.m.7 views

CVE-2026-40189

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload...

9.8CVSS5.8AI score0.00651EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.9 views

PT-2026-33232

Name of the Vulnerable Software and Affected Versions goshs versions 2.0.0-beta.4 through 2.0.0-beta.5 Description goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an authenticated browser to trigger destructive actions becaus...

8.1CVSS5.8AI score0.00143EPSS
Exploits1References7
Github Security Blog
Github Security Blog
added 2026/04/10 8:0 p.m.8 views

goshs has a file-based ACL authorization bypass in goshs state-changing routes

Summary goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload,...

9.8CVSS6AI score0.00651EPSS
Exploits1References5Affected Software1
EUVD
EUVD
added 2026/04/10 8:0 p.m.5 views

EUVD-2026-21591

goshs has a file-based ACL authorization bypass in goshs state-changing routes...

9.3CVSS5.8AI score0.00651EPSS
Exploits1References3
OSV
OSV
added 2026/04/10 8:0 p.m.4 views

GHSA-WVHV-QCQF-F3CX goshs has a file-based ACL authorization bypass in goshs state-changing routes

Summary goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload,...

9.8CVSS6AI score0.00651EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/04/10 7:44 p.m.22 views

CVE-2026-40189 goshs has a file-based ACL authorization bypass in goshs state-changing routes

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload...

9.3CVSS0.00651EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/10 7:44 p.m.4 views

CVE-2026-40189

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload...

9.3CVSS5.8AI score0.00651EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/04/10 7:44 p.m.19 views

CVE-2026-40189

CVE-2026-40189 affects goshs, a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces per-folder .goshs ACL/basic-auth for directory listings and file reads but does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can perform state-...

9.8CVSS5.8AI score0.00651EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.5 views

PT-2026-32039

Name of the Vulnerable Software and Affected Versions goshs versions prior to 2.0.0-beta.4 Description goshs, a SimpleHTTPServer written in Go, had an authorization bypass. Prior to version 2.0.0-beta.4, the software enforced ACL/basic-auth mechanisms for directory listings and file reads, but di...

9.8CVSS5.8AI score0.00651EPSS
Exploits1References18
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.8 views

goshs 安全漏洞

Goshs is a simple HTTP server developed by Patrick Hener using Go language. Versions of Goshs prior to 2.0.0-beta.4 contained security vulnerabilities. These vulnerabilities stemmed from the lack of enforcing identical authorization checks for state-changing routes, which allowed unauthenticated...

9.8CVSS7.3AI score0.00651EPSS
Exploits1References3
Rows per page
Query Builder