{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35393", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T17:03:42.074Z", "datePublished": "2026-04-06T20:50:25.216Z", "dateUpdated": "2026-04-06T20:50:25.216Z"}, "containers": {"cna": {"title": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "references": [{"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5"}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"version": "< 2.0.0-beta.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:50:25.216Z"}, "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3."}], "source": {"advisory": "GHSA-jg56-wf8x-qrv5", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3."}], "id": "CVE-2026-35393", "lastModified": "2026-04-06T21:16:21.163", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T21:16:21.163", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0-beta.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "goshs", "source": "cna", "vendor": "patrickhener"}, "product": "goshs", "vendor": "patrickhener"}], "analysis": {"en": {"generated_at": "2026-04-07T02:18:30.059209+00:00", "value": {"mitigation_remediation": ["Upgrade to version 2.0.0\u2011beta.3 or later.", "If an upgrade is not immediately possible, remove or disable the HTTP POST upload endpoint.", "Configure the filesystem to restrict write permissions for the upload directory so that only the application user can write files.", "Continuously monitor web server logs for unexpected file creation or suspicious upload attempts."], "summary": {"action": "Urgent Patch", "impact": "Remote File Write"}, "threat_synthesis": {"affected_systems": "All users running patrickhener:goshs older than version 2.0.0\u2011beta.3 are affected. The issue is present in every release before this patch and has been fixed in 2.0.0\u2011beta.3.", "description_and_impact": "goshs, a lightweight HTTP server written in Go, is affected by a path traversal vulnerability in its POST multipart upload functionality. The flaw arises because the server does not sanitize filenames supplied in uploads, allowing a crafted request to place files outside the intended upload directory. This flaw can be used to write arbitrary files to the host system, potentially including executable scripts or system configuration files, thereby compromising the confidentiality, integrity, and availability of the server.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.8, indicating critical severity. The EPSS score is not available and the issue is not listed in CISA\u2019s KEV catalog. The likely attack vector is an unauthenticated HTTP POST request to the upload endpoint, an inference made from the described behavior; no direct evidence of exploitation is provided. Due to the high severity and the ease of exploitation in exposed instances, the risk to affected deployments is significant. Mitigation is achieved by applying the patched version or temporarily disabling the upload feature."}}}}, "created": "2026-04-07T06:54:08.681533+00:00", "updated": "2026-04-07T09:37:08.771024+00:00", "vendors": ["patrickhener", "patrickhener$PRODUCT$goshs"]}