Nixpkgs security tracker

Login with GitHub

Suggestions search

Dismissed
Filter by:
With package: goshs

Found 3 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-40885
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month ago
  • @LeSuisse dismissed 1 month ago
goshs: Public collaborator feed leaks .goshs ACL credentials and enables unauthorized access

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6.

Affected products

goshs
  • ==>= 2.0.0-beta.4, < 2.0.0-beta.6

Matching in nixpkgs

Package maintainers

We are no within the impacted range
Permalink CVE-2026-40903
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month ago
  • @LeSuisse dismissed 1 month ago
Goshs - ArtiPACKED Vulnerability – GitHub Actions Credential Persistence

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6.

Affected products

goshs
  • ==< 2.0.0-beta.6

Matching in nixpkgs

Package maintainers

Does not impact the software directly
Permalink CVE-2026-40883
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month ago
  • @LeSuisse dismissed 1 month ago
goshs: CSRF in state-changing GET routes enables authenticated file deletion and directory creation

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. This vulnerability is fixed in 2.0.0-beta.6.

Affected products

goshs
  • ==>= 2.0.0-beta.4, < 2.0.0-beta.6

Matching in nixpkgs

Package maintainers

Not impacted, we are either before or after the impacted range.