{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34581", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:56:30.999Z", "datePublished": "2026-04-02T18:04:35.217Z", "dateUpdated": "2026-04-03T17:01:54.432Z"}, "containers": {"cna": {"title": "goshs has Auth Bypass via Share Token", "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "lang": "en", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g"}, {"name": "https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216", "tags": ["x_refsource_MISC"], "url": "https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216"}, {"name": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2"}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"version": ">= 1.1.0, < 2.0.0-beta.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:04:35.217Z"}, "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2."}], "source": {"advisory": "GHSA-jgfx-74g2-9r6g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:19:09.570992Z", "id": "CVE-2026-34581", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T17:01:54.432Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34581", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T16:19:09.570992Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T17:00:06.119Z"}}], "cna": {"title": "goshs has Auth Bypass via Share Token", "source": {"advisory": "GHSA-jgfx-74g2-9r6g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"status": "affected", "version": ">= 1.1.0, < 2.0.0-beta.2"}]}], "references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g", "name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216", "name": "https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2", "name": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:04:35.217Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34581", "state": "PUBLISHED", "dateUpdated": "2026-04-03T17:01:54.432Z", "dateReserved": "2026-03-30T16:56:30.999Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T18:04:35.217Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goshs:goshs:*:*:*:*:*:go:*:*", "matchCriteriaId": "EE028980-59D0-49E3-81A8-BB9E32D3FC9F", "versionEndExcluding": "2.0.0", "versionStartIncluding": "1.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta1:*:*:*:go:*:*", "matchCriteriaId": "047ECFC3-056F-4FAC-9B64-5F7C120CFFE1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2."}], "id": "CVE-2026-34581", "lastModified": "2026-04-15T17:38:30.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T19:21:32.157", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.1.0,2.0.0-beta.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "goshs", "source": "cna", "vendor": "patrickhener"}, "product": "goshs", "vendor": "patrickhener"}], "analysis": {"en": {"generated_at": "2026-04-02T22:52:36.206103+00:00", "value": {"mitigation_remediation": ["Upgrade goshs to version 2.0.0-beta.2 or later"], "summary": {"action": "Apply Patch", "impact": "Authorization Bypass leading to unrestricted access and potential code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of goshs from version 1.1.0 up to but not including version 2.0.0\u2011beta.2. The product is identified under patrickhener:goshs, and the patch was released in the 2.0.0\u2011beta.2 release.", "description_and_impact": "goshs, a simple HTTP server written in Go, contains an authorization bypass that allows an attacker to use a Share Token to access the full server functionalities, including executing code. The flaw, identified as CWE-288, means that an unauthorized user can retrieve any file or launch commands on the host, compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 8.1 classifies it as high severity; the EPSS score is undisclosed and it is not in the KEV list, but the vulnerability can be triggered by a simple HTTP request providing a Share Token, so remote attackers can execute arbitrary code or exfiltrate data. The lack of public exploitation data does not reduce the threat, as the access vector is likely remote via the web interface."}}}}, "created": "2026-04-03T07:32:04.299630+00:00", "updated": "2026-04-03T09:17:04.064171+00:00", "vendors": ["patrickhener", "patrickhener$PRODUCT$goshs"]}