{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35393", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T17:03:42.074Z", "datePublished": "2026-04-06T20:50:25.216Z", "dateUpdated": "2026-04-08T13:58:10.369Z"}, "containers": {"cna": {"title": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "references": [{"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5"}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"version": "< 2.0.0-beta.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:50:25.216Z"}, "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3."}], "source": {"advisory": "GHSA-jg56-wf8x-qrv5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T13:57:06.850226Z", "id": "CVE-2026-35393", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:58:10.369Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35393", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T13:57:06.850226Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:58:04.726Z"}}], "cna": {"title": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload", "source": {"advisory": "GHSA-jg56-wf8x-qrv5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"status": "affected", "version": "< 2.0.0-beta.3"}]}], "references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5", "name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:50:25.216Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35393", "state": "PUBLISHED", "dateUpdated": "2026-04-08T13:58:10.369Z", "dateReserved": "2026-04-02T17:03:42.074Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T20:50:25.216Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goshs:goshs:*:*:*:*:*:go:*:*", "matchCriteriaId": "471EA45E-3052-469D-B301-4D92FB187228", "versionEndExcluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta1:*:*:*:go:*:*", "matchCriteriaId": "047ECFC3-056F-4FAC-9B64-5F7C120CFFE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta2:*:*:*:go:*:*", "matchCriteriaId": "6EA86AD2-EE6D-4427-9434-A9A49A4D38F9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3."}], "id": "CVE-2026-35393", "lastModified": "2026-04-09T21:20:27.383", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T21:16:21.163", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0-beta.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "goshs", "source": "cna", "vendor": "patrickhener"}, "product": "goshs", "vendor": "patrickhener"}], "analysis": {"en": {"generated_at": "2026-04-09T22:48:45.776733+00:00", "value": {"mitigation_remediation": ["Update the goshs installation to version 2.0.0\u2011beta.3 or newer.", "If an upgrade cannot be performed immediately, restrict or disable the POST multipart upload path to prevent traversal attempts.", "Verify that the upload handler no longer accepts unintended paths by testing uploads or reviewing server logs."], "summary": {"action": "Immediate Patch", "impact": "Remote file write enabling arbitrary file creation, potentially leading to code execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the open\u2011source goshs server maintained by patrickhener. Any deployment running a version older than 2.0.0\u2011beta.3 is vulnerable because the POST upload handler did not constrain the pathname. Versions 2.0.0\u2011beta.3 and later contain the patch that enforces a restricted upload directory.", "description_and_impact": "The goshs SimpleHTTPServer allows an attacker to upload files via a POST multipart request without sanitizing the supplied file path. This oversight permits the creation or overwrite of files outside the intended upload directory, potentially enabling remote code execution or the placement of malicious artifacts on the host. The weakness represents a classic Path Traversal scenario.", "risk_and_exploitability": "With a CVSS score of 9.8, the vulnerability is classified as critical. Although the EPSS score is currently below 1% and the issue is not listed in the CISA KEV catalog, the threat remains significant because an unauthenticated attacker can trigger the flaw via a standard HTTP POST to an exposed server, potentially achieving remote code execution. Administrators should treat this as a high\u2011risk exposure pending a security update."}}}}, "created": "2026-04-07T06:54:08.681533+00:00", "updated": "2026-04-10T09:45:02.969821+00:00", "vendors": ["patrickhener", "patrickhener$PRODUCT$goshs"]}