CVE-2026-40188

Sažetak

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

Reference

https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744
https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4
https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx

CVSS

Base:	7.7
Impact:	4.0
Exploitability:	3.1

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	HIGH	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Zadnje važnije ažuriranje

10-04-2026 - 20:16

Objavljeno

10-04-2026 - 20:16