CVE-2026-40188

HIGH 7.7

goshs is Missing Write Protection for Parametric Data Values

CVSS Score

7.7

EPSS Score

0.0%

EPSS Percentile

7th

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

CWE	CWE-1314
Vendor	patrickhener
Product	goshs
Published	Apr 10, 2026
Last Updated	Apr 13, 2026

Stay Ahead of the Next One

Get instant alerts for patrickhener goshs

Be the first to know when new high vulnerabilities affecting patrickhener goshs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

patrickhener / goshs

>= 1.0.7, < 2.0.0-beta.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx github.com: https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744 github.com: https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4