Nixpkgs security tracker

Permalink CVE-2026-42091

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

created 3 weeks ago Activity log

Created suggestion 3 weeks ago

goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm x_refsource_CONFIRM
https://github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32 x_refsource_MISC
https://github.com/patrickhener/goshs/releases/tag/v2.0.2 x_refsource_MISC

Affected products

goshs

==< 2.0.2

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 2.0.6
- nixpkgs-unstable 2.0.6
- nixos-unstable-small 2.0.6
nixos-25.11 2.0.0-beta.3
- nixos-25.11-small 2.0.0-beta.3
- nixpkgs-25.11-darwin 2.0.0-beta.3

Package maintainers

@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
@SEIAROTg SEIAROTg
@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Permalink CVE-2026-35393

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5 x_refsource_CONFIRM

Affected products

goshs

==< 2.0.0-beta.3

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 1.1.4
- nixpkgs-unstable 1.1.4
- nixos-unstable-small 1.1.4
nixos-25.11 1.1.2
- nixos-25.11-small 1.1.2
- nixpkgs-25.11-darwin 1.1.2

Package maintainers

@SEIAROTg SEIAROTg
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>

Permalink CVE-2026-35392

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64 x_refsource_CONFIRM

Affected products

goshs

==< 2.0.0-beta.3

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 1.1.4
- nixpkgs-unstable 1.1.4
- nixos-unstable-small 1.1.4
nixos-25.11 1.1.2
- nixos-25.11-small 1.1.2
- nixpkgs-25.11-darwin 1.1.2

Package maintainers

@SEIAROTg SEIAROTg
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>

Permalink CVE-2026-34581

8.1 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

created 1 month, 3 weeks ago Activity log

Created suggestion 1 month, 3 weeks ago

goshs has Auth Bypass via Share Token

goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g x_refsource_CONFIRM
https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216 x_refsource_MISC
https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2 x_refsource_MISC

Affected products

goshs

==>= 1.1.0, < 2.0.0-beta.2

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 1.1.4
- nixpkgs-unstable 1.1.4
- nixos-unstable-small 1.1.4
nixos-25.11 1.1.2
- nixos-25.11-small 1.1.2
- nixpkgs-25.11-darwin 1.1.2

Package maintainers

@SEIAROTg SEIAROTg
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers