CVE-2026-34581 | THREATINT

Description

goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.

PUBLISHED Reserved 2026-03-30 | Published 2026-04-02 | Updated 2026-04-03 | Assigner GitHub_M

HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Problem types

CWE-288: Authentication Bypass Using an Alternate Path or Channel

Product status

>= 1.1.0, < 2.0.0-beta.2

affected

References

github.com/.../goshs/security/advisories/GHSA-jgfx-74g2-9r6g

github.com/...ommit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216

github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2

cve.org (CVE-2026-34581)

nvd.nist.gov (CVE-2026-34581)

Download JSON