Nixpkgs security tracker

Untriaged

Permalink CVE-2026-34581

8.1 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

created 1 month, 3 weeks ago Activity log

Created suggestion 1 month, 3 weeks ago

goshs has Auth Bypass via Share Token

goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g x_refsource_CONFIRM
https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216 x_refsource_MISC
https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2 x_refsource_MISC

Affected products

goshs

==>= 1.1.0, < 2.0.0-beta.2

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 1.1.4
- nixpkgs-unstable 1.1.4
- nixos-unstable-small 1.1.4
nixos-25.11 1.1.2
- nixos-25.11-small 1.1.2
- nixpkgs-25.11-darwin 1.1.2

Package maintainers

@SEIAROTg SEIAROTg
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers