CVE-2026-40876

UNKNOWN 0.0

SFTP root escape via prefix-based path validation in goshs

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6.

CWE	CWE-22
Vendor	patrickhener
Product	goshs
Published	Apr 21, 2026

Stay Ahead of the Next One

Get instant alerts for patrickhener goshs

Be the first to know when new unknown vulnerabilities affecting patrickhener goshs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

patrickhener / goshs

< 2.0.0-beta.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824