CVE-2026-40188 | THREATINT

Description

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

PUBLISHED Reserved 2026-04-09 | Published 2026-04-10 | Updated 2026-04-13 | Assigner GitHub_M

HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Problem types

CWE-1314: Missing Write Protection for Parametric Data Values

Product status

>= 1.0.7, < 2.0.0-beta.4

affected

References

github.com/.../goshs/security/advisories/GHSA-2943-crp8-38xx exploit

github.com/.../goshs/security/advisories/GHSA-2943-crp8-38xx

github.com/...ommit/141c188ce270ffbec087844a50e5e695b7da7744

github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4

cve.org (CVE-2026-40188)

nvd.nist.gov (CVE-2026-40188)

Download JSON