Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

goshs — Vulnerabilities & Security Advisories 13

All 13 CVE vulnerabilities found in goshs, with AI-generated Chinese analysis, references, and POCs.

This page documents known vulnerabilities for goshs, a lightweight and portable web server implemented in Go, focusing on weakness types such as buffer overflows, input validation errors, and configuration flaws. The content aggregates security findings spanning from the project's inception through mid-2024, covering both historical disclosures and recently published advisories related to the software’s core functionality and associated dependencies. By exploring this collection, users can track the vendor’s or maintainers’ advisory patterns over time to assess the stability and responsiveness of the project regarding security fixes. It also enables a deeper understanding of specific weakness classes commonly exploited in Go-based network services, helping developers identify common pitfalls in implementation. Additionally, the page serves as a lookup tool for the complete vulnerability history of goshs, allowing security researchers and system administrators to review past issues, analyze their impact, and verify if specific versions are affected by known exploits. This resource is intended for technical audiences seeking factual data on software security posture rather than promotional material. The information is organized to facilitate efficient searching and correlation across different vulnerability identifiers and release cycles.

Vendor: patrickhener

CVE IDTitleCVSSSeverityPublished
CVE-2026-42091 goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS CWE-352 6.5 Medium2026-05-04
CVE-2026-40903 Goshs - ArtiPACKED Vulnerability – GitHub Actions Credential Persistence CWE-829 9.1 Critical2026-04-21
CVE-2026-40885 goshs: Public collaborator feed leaks .goshs ACL credentials and enables unauthorized access CWE-200 9.1AICriticalAI2026-04-21
CVE-2026-40884 goshs: Empty-username SFTP password authentication bypass in goshs CWE-306 9.8 Critical2026-04-21
CVE-2026-40883 goshs: CSRF in state-changing GET routes enables authenticated file deletion and directory creation CWE-352 8.1AIHighAI2026-04-21
CVE-2026-40876 SFTP root escape via prefix-based path validation in goshs CWE-22 8.8AIHighAI2026-04-21
CVE-2026-40189 goshs has a file-based ACL authorization bypass in goshs state-changing routes CWE-862 9.8AICriticalAI2026-04-10
CVE-2026-40188 goshs is Missing Write Protection for Parametric Data Values CWE-1314 7.7 High2026-04-10
CVE-2026-35471 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs CWE-22 9.1AICriticalAI2026-04-06
CVE-2026-35393 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload CWE-22 9.8AICriticalAI2026-04-06
CVE-2026-35392 goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload CWE-22 9.1AICriticalAI2026-04-06
CVE-2026-34581 goshs has Auth Bypass via Share Token CWE-288 8.1 High2026-04-02
CVE-2025-46816 goshs route not protected, allows command execution CWE-284 9.8AICriticalAI2025-05-06

All 13 known CVE vulnerabilities affecting goshs with full Chinese analysis, references, and POCs where available.