{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35392", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T17:03:42.074Z", "datePublished": "2026-04-06T20:48:56.647Z", "dateUpdated": "2026-04-07T16:19:28.746Z"}, "containers": {"cna": {"title": "goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "references": [{"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64"}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"version": "< 2.0.0-beta.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:48:56.647Z"}, "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3."}], "source": {"advisory": "GHSA-g8mv-vp7j-qp64", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T16:19:16.196298Z", "id": "CVE-2026-35392", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:19:28.746Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35392", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T16:19:16.196298Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:19:25.918Z"}}], "cna": {"title": "goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload", "source": {"advisory": "GHSA-g8mv-vp7j-qp64", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"status": "affected", "version": "< 2.0.0-beta.3"}]}], "references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64", "name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:48:56.647Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35392", "state": "PUBLISHED", "dateUpdated": "2026-04-07T16:19:28.746Z", "dateReserved": "2026-04-02T17:03:42.074Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T20:48:56.647Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goshs:goshs:*:*:*:*:*:go:*:*", "matchCriteriaId": "471EA45E-3052-469D-B301-4D92FB187228", "versionEndExcluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta1:*:*:*:go:*:*", "matchCriteriaId": "047ECFC3-056F-4FAC-9B64-5F7C120CFFE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta2:*:*:*:go:*:*", "matchCriteriaId": "6EA86AD2-EE6D-4427-9434-A9A49A4D38F9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3."}], "id": "CVE-2026-35392", "lastModified": "2026-04-09T21:20:20.510", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T21:16:21.013", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0-beta.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "goshs", "source": "cna", "vendor": "patrickhener"}, "product": "goshs", "vendor": "patrickhener"}], "analysis": {"en": {"generated_at": "2026-04-09T23:09:32.582284+00:00", "value": {"mitigation_remediation": ["Upgrade pacmanhener's goshs to version 2.0.0\u2011beta.3 or later to apply the path sanitization fix.\nVerify that the server\u2019s PUT upload endpoint no longer allows filenames that navigate outside the intended directory."], "summary": {"action": "Immediate Patch", "impact": "Remote File Write via Path Traversal"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the patrickhener:goshs product and affects all releases prior to 2.0.0\u2011beta.3, including the 2.0.0\u2011beta.1 and 2.0.0\u2011beta.2 builds. The issue was addressed in version 2.0.0\u2011beta.3, which introduces pathname sanitization and limits upload operations to the designated directory.", "description_and_impact": "goshs, a lightweight HTTP server written in Go, allows clients to upload files with the HTTP PUT method without sanitizing the requested pathname. This omission permits an attacker to craft filenames that reference directories outside the intended upload directory, effectively creating or overwriting arbitrary files on the server's filesystem. The resulting vulnerability is a classic path traversal flaw that can compromise data integrity, confidentiality, and potentially enable remote code execution if the written files are executable or are placed in sensitive locations.", "risk_and_exploitability": "With a CVSS score of 9.8 the flaw is classified as critical; the EPSS score below 1% indicates low current exploitation likelihood, but the vulnerability remains exploitable over an open network via unauthenticated HTTP PUT requests to any publicly reachable goshs instance. The flaw is not listed in the CISA KEV catalog, yet its high severity warrants immediate attention to prevent potential system compromise."}}}}, "created": "2026-04-07T06:54:09.645363+00:00", "updated": "2026-04-10T09:45:04.342933+00:00", "vendors": ["patrickhener", "patrickhener$PRODUCT$goshs"]}