Nixpkgs security tracker

Untriaged

Permalink CVE-2026-35393

created 4 days, 18 hours ago

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5 x_refsource_CONFIRM

Affected products

goshs

==< 2.0.0-beta.3

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 1.1.4
- nixpkgs-unstable 1.1.4
- nixos-unstable-small 1.1.4
nixos-25.11 1.1.2
- nixos-25.11-small 1.1.2
- nixpkgs-25.11-darwin 1.1.2

Package maintainers

@SEIAROTg SEIAROTg
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers