Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: goshs

Found 3 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-40188
7.7 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 9 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 15 hours ago
  • @LeSuisse accepted 11 hours ago
  • @LeSuisse published on GitHub 9 hours ago
goshs is Missing Write Protection for Parametric Data Values

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

Affected products

goshs
  • ==>= 1.0.7, < 2.0.0-beta.4

Matching in nixpkgs

Package maintainers

Published
Permalink CVE-2026-40189
updated 9 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 15 hours ago
  • @LeSuisse ignored reference https://g… 10 hours ago
  • @LeSuisse accepted 10 hours ago
  • @LeSuisse published on GitHub 9 hours ago
goshs has a file-based ACL authorization bypass in goshs state-changing routes

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.

Affected products

goshs
  • ==< 2.0.0-beta.4

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-35392
created 4 days, 15 hours ago
goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.

Affected products

goshs
  • ==< 2.0.0-beta.3

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

Package maintainers