CVE-2026-40188

HIGH CVSS 7.7 View on NVD ↗

Description

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

References

https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744
https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4
https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx

Published: Apr 10, 2026 20:16 UTC Modified: Apr 10, 2026 20:16 UTC