goshs — Vulnerabilities & Security Advisories 12

All 12 CVE vulnerabilities found in goshs, with AI-generated Chinese analysis, references, and POCs.

Vendor: patrickhener

CVE ID	Title	CVSS	Severity	Published
CVE-2026-40903	Goshs - ArtiPACKED Vulnerability – GitHub Actions Credential Persistence CWE-829	9.1	Critical	2026-04-21
CVE-2026-40885	goshs: Public collaborator feed leaks .goshs ACL credentials and enables unauthorized access CWE-200	9.1^AI	Critical^AI	2026-04-21
CVE-2026-40884	goshs: Empty-username SFTP password authentication bypass in goshs CWE-306	9.8	Critical	2026-04-21
CVE-2026-40883	goshs: CSRF in state-changing GET routes enables authenticated file deletion and directory creation CWE-352	8.1^AI	High^AI	2026-04-21
CVE-2026-40876	SFTP root escape via prefix-based path validation in goshs CWE-22	8.8^AI	High^AI	2026-04-21
CVE-2026-40189	goshs has a file-based ACL authorization bypass in goshs state-changing routes CWE-862	9.8^AI	Critical^AI	2026-04-10
CVE-2026-40188	goshs is Missing Write Protection for Parametric Data Values CWE-1314	7.7	High	2026-04-10
CVE-2026-35471	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs CWE-22	9.1^AI	Critical^AI	2026-04-06
CVE-2026-35393	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload CWE-22	9.8^AI	Critical^AI	2026-04-06
CVE-2026-35392	goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload CWE-22	9.1^AI	Critical^AI	2026-04-06
CVE-2026-34581	goshs has Auth Bypass via Share Token CWE-288	8.1	High	2026-04-02
CVE-2025-46816	goshs route not protected, allows command execution CWE-284	9.8^AI	Critical^AI	2025-05-06

All 12 known CVE vulnerabilities affecting goshs with full Chinese analysis, references, and POCs where available.