Nixpkgs security tracker

Permalink CVE-2026-40188

7.7 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 11 hours ago by @LeSuisse Activity log

Created automatic suggestion 17 hours ago
@LeSuisse accepted 12 hours ago
@LeSuisse published on GitHub 11 hours ago

goshs is Missing Write Protection for Parametric Data Values

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx x_refsource_CONFIRM
https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744 x_refsource_MISC
https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4 x_refsource_MISC

Affected products

goshs

==>= 1.0.7, < 2.0.0-beta.4

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 1.1.4
- nixpkgs-unstable 2.0.0-beta.3
- nixos-unstable-small 2.0.0-beta.3
nixos-25.11 1.1.2
- nixos-25.11-small 2.0.0-beta.3
- nixpkgs-25.11-darwin 2.0.0-beta.3

Package maintainers

@SEIAROTg SEIAROTg
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Permalink CVE-2026-40189

updated 11 hours ago by @LeSuisse Activity log

Created automatic suggestion 17 hours ago
@LeSuisse ignored reference https://g… 11 hours ago
@LeSuisse accepted 11 hours ago
@LeSuisse published on GitHub 11 hours ago

goshs has a file-based ACL authorization bypass in goshs state-changing routes

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx x_refsource_CONFIRM
https://github.com/patrickhener/goshs/commit/f212c4f4a126556bab008f79758e21a839ef2c0f x_refsource_MISC

Ignored references (1)

https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4 x_refsource_MISC

Affected products

goshs

==< 2.0.0-beta.4

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 1.1.4
- nixpkgs-unstable 2.0.0-beta.3
- nixos-unstable-small 2.0.0-beta.3
nixos-25.11 1.1.2
- nixos-25.11-small 2.0.0-beta.3
- nixpkgs-25.11-darwin 2.0.0-beta.3

Package maintainers

@SEIAROTg SEIAROTg
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers