Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: goshs

Found 12 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-35392
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.

Affected products

goshs
  • ==< 2.0.0-beta.3

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

Package maintainers

Untriaged
Permalink CVE-2026-34581
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
goshs has Auth Bypass via Share Token

goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.

Affected products

goshs
  • ==>= 1.1.0, < 2.0.0-beta.2

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

Package maintainers