Nixpkgs security tracker

Untriaged

Permalink CVE-2026-35392

created 4 days, 17 hours ago

goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64 x_refsource_CONFIRM

Affected products

goshs

==< 2.0.0-beta.3

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 1.1.4
- nixpkgs-unstable 1.1.4
- nixos-unstable-small 1.1.4
nixos-25.11 1.1.2
- nixos-25.11-small 1.1.2
- nixpkgs-25.11-darwin 1.1.2

Package maintainers

@SEIAROTg SEIAROTg
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers