CVE-2026-40188

high

Description

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx

https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4

https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744

Details

Source: Mitre, NVD

Published: 2026-04-10

Updated: 2026-04-10

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:N

Severity: Medium

CVSS v3

Base Score: 7.7

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Severity: High