NIXPKGS-2026-1073

GitHub issue published on

Permalink CVE-2026-40188

7.7 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 11 hours ago by @LeSuisse Activity log

Created automatic suggestion 17 hours ago
@LeSuisse accepted 12 hours ago
@LeSuisse published on GitHub 11 hours ago

goshs is Missing Write Protection for Parametric Data Values

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx x_refsource_CONFIRM
https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744 x_refsource_MISC
https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4 x_refsource_MISC

Affected products

goshs

==>= 1.0.7, < 2.0.0-beta.4

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 1.1.4
- nixpkgs-unstable 2.0.0-beta.3
- nixos-unstable-small 2.0.0-beta.3
nixos-25.11 1.1.2
- nixos-25.11-small 2.0.0-beta.3
- nixpkgs-25.11-darwin 2.0.0-beta.3

Package maintainers

@SEIAROTg SEIAROTg
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1073

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers