{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35471", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T20:49:44.453Z", "datePublished": "2026-04-06T21:38:27.657Z", "dateUpdated": "2026-04-07T16:22:49.068Z"}, "containers": {"cna": {"title": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "references": [{"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8"}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"version": "< 2.0.0-beta.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:38:27.657Z"}, "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3."}], "source": {"advisory": "GHSA-6qcc-6q27-whp8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T16:22:40.861310Z", "id": "CVE-2026-35471", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:22:49.068Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35471", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T16:22:40.861310Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:22:44.564Z"}}], "cna": {"title": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs", "source": {"advisory": "GHSA-6qcc-6q27-whp8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"status": "affected", "version": "< 2.0.0-beta.3"}]}], "references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8", "name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:38:27.657Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35471", "state": "PUBLISHED", "dateUpdated": "2026-04-07T16:22:49.068Z", "dateReserved": "2026-04-02T20:49:44.453Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T21:38:27.657Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goshs:goshs:*:*:*:*:*:go:*:*", "matchCriteriaId": "471EA45E-3052-469D-B301-4D92FB187228", "versionEndExcluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta1:*:*:*:go:*:*", "matchCriteriaId": "047ECFC3-056F-4FAC-9B64-5F7C120CFFE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta2:*:*:*:go:*:*", "matchCriteriaId": "6EA86AD2-EE6D-4427-9434-A9A49A4D38F9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3."}], "id": "CVE-2026-35471", "lastModified": "2026-04-09T21:20:35.993", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:23.913", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0-beta.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "goshs", "source": "cna", "vendor": "patrickhener"}, "product": "goshs", "vendor": "patrickhener"}], "analysis": {"en": {"generated_at": "2026-04-09T22:48:35.199149+00:00", "value": {"mitigation_remediation": ["Upgrade goshs to version 2.0.0\u2011beta.3 or newer.", "Verify that the update has been applied and that no delete API remains exposed."], "summary": {"action": "Apply patch", "impact": "Arbitrary file deletion via path traversal"}, "threat_synthesis": {"affected_systems": "Affected versions are the publicly available releases of the goshs project before the 2.0.0\u2011beta.3 update, notably 2.0.0\u2011beta.1 and 2.0.0\u2011beta.2. The remedy is to upgrade to 2.0.0\u2011beta.3 or later. Products are hosted by patrickhener and the Go implementation of a simple web server.", "description_and_impact": "The vulnerability resides in the delete function of goshs, where a path traversal check is performed but the function does not return after the check, allowing selected paths to exceed the intended repository boundary. An attacker who can cause the delete routine to run with file\u2011system permissions can delete any file reachable by the running process, potentially impacting critical system files, credentials, or logs. The weakness aligns with CWE\u201122 and is classified as a high\u2011severity path traversal exposing data deletion capabilities.", "risk_and_exploitability": "The assigned CVSS score of 9.8 reflects the extreme impact of the flaw. With an EPSS score below 1% and no entry in the CISA KEV catalog, the documented likelihood of widespread exploitation remains low, yet the potential damage is severe. It is inferred that the attack vector is likely remote, delivered via HTTP requests to the delete endpoint, but the description does not provide explicit evidence of a remote trigger, so the assumption remains qualified."}}}}, "created": "2026-04-07T06:53:44.139921+00:00", "updated": "2026-04-10T09:41:49.913507+00:00", "vendors": ["patrickhener", "patrickhener$PRODUCT$goshs"]}