CVE-2026-34581

HIGH 8.1

goshs has Auth Bypass via Share Token

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

8th

goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.

CWE	CWE-288
Vendor	patrickhener
Product	goshs
Published	Apr 2, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for patrickhener goshs

Be the first to know when new high vulnerabilities affecting patrickhener goshs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

patrickhener / goshs

>= 1.1.0, < 2.0.0-beta.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g github.com: https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216 github.com: https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2