Nixpkgs security tracker

Untriaged

Permalink CVE-2026-42091

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

created 1 day, 5 hours ago Activity log

Created suggestion 1 day, 5 hours ago

goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm x_refsource_CONFIRM
https://github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32 x_refsource_MISC
https://github.com/patrickhener/goshs/releases/tag/v2.0.2 x_refsource_MISC

Affected products

goshs

==< 2.0.2

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 2.0.6
- nixpkgs-unstable 2.0.6
- nixos-unstable-small 2.0.6
nixos-25.11 2.0.0-beta.3
- nixos-25.11-small 2.0.0-beta.3
- nixpkgs-25.11-darwin 2.0.0-beta.3

Package maintainers

@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
@SEIAROTg SEIAROTg
@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers