13 matches found
CVE-2026-40883
Summary of CVE-2026-40883 (goshs) : A cross-site request forgery in goshs’ state-changing HTTP GET routes allows an attacker to trigger destructive actions (e.g., deleting files, creating directories) on an authenticated victim’s browser because authentication relies only on HTTP basic auth and n...
CVE-2026-40883 goshs: CSRF in state-changing GET routes enables authenticated file deletion and directory creation
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because...
goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation
Summary goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or...
CVE-2026-40189
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload...
PT-2026-33232
Name of the Vulnerable Software and Affected Versions goshs versions 2.0.0-beta.4 through 2.0.0-beta.5 Description goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an authenticated browser to trigger destructive actions becaus...
goshs has a file-based ACL authorization bypass in goshs state-changing routes
Summary goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload,...
EUVD-2026-21591
goshs has a file-based ACL authorization bypass in goshs state-changing routes...
GHSA-WVHV-QCQF-F3CX goshs has a file-based ACL authorization bypass in goshs state-changing routes
Summary goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload,...
CVE-2026-40189 goshs has a file-based ACL authorization bypass in goshs state-changing routes
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload...
CVE-2026-40189
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload...
CVE-2026-40189
CVE-2026-40189 affects goshs, a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces per-folder .goshs ACL/basic-auth for directory listings and file reads but does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can perform state-...
PT-2026-32039
Name of the Vulnerable Software and Affected Versions goshs versions prior to 2.0.0-beta.4 Description goshs, a SimpleHTTPServer written in Go, had an authorization bypass. Prior to version 2.0.0-beta.4, the software enforced ACL/basic-auth mechanisms for directory listings and file reads, but di...
goshs 安全漏洞
Goshs is a simple HTTP server developed by Patrick Hener using Go language. Versions of Goshs prior to 2.0.0-beta.4 contained security vulnerabilities. These vulnerabilities stemmed from the lack of enforcing identical authorization checks for state-changing routes, which allowed unauthenticated...