Nixpkgs security tracker
NIXPKGS-2026-1073
GitHub issue
published on
Permalink
CVE-2026-40188
7.7 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality (C): None (N)
- Integrity (I): High (H)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
goshs is Missing Write Protection for Parametric Data Values
goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
References
Affected products
goshs
- ==>= 1.0.7, < 2.0.0-beta.4
Matching in nixpkgs
pkgs.goshs
Simple, yet feature-rich web server written in Go
-
nixos-unstable 1.1.4
- nixpkgs-unstable 2.0.0-beta.3
- nixos-unstable-small 2.0.0-beta.3
-
nixos-25.11 1.1.2
- nixos-25.11-small 2.0.0-beta.3
- nixpkgs-25.11-darwin 2.0.0-beta.3
Package maintainers
-
@SEIAROTg SEIAROTg
-
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>