Path Traversal Flaws in goshs Upload Handlers Allow Remote File Write
Two high-severity vulnerabilities, CVE-2026-35392 and CVE-2026-35393, were disclosed in goshs, a Go-based SimpleHTTPServer, affecting versions prior to 2.0.0-beta.3. Both issues are classified as CWE-22 path traversal flaws that arise from missing pathname sanitization in file upload functionality: PUT upload handling in httpserver/updown.go and POST multipart upload directory processing. The weaknesses could allow remote, unauthenticated attackers to write files outside intended directories.
Both CVEs carry the same CVSS v3 vector, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high impact to confidentiality, integrity, and availability. The vulnerabilities were addressed in 2.0.0-beta.3, and related GitHub security advisories were published alongside the fixes. Organizations using goshs for file upload workflows should prioritize upgrading and review exposed instances for unauthorized file placement or tampering.
Timeline
Apr 6, 2026
CVE-2026-35471 is publicly recorded for goshs
A third path traversal vulnerability in goshs, CVE-2026-35471, was publicly recorded for versions prior to 2.0.0-beta.3. The flaw stems from a missing return in tdeleteFile() after a path traversal check, allowing unauthorized file access or modification; the issue is fixed in version 2.0.0-beta.3.
Apr 6, 2026
CVE-2026-35392 and CVE-2026-35393 are publicly recorded
Two vulnerabilities in goshs were publicly recorded: CVE-2026-35392 for path traversal in PUT uploads and CVE-2026-35393 for path traversal in POST multipart uploads. The disclosures note high-impact consequences for confidentiality, integrity, and availability, and reference a related GitHub security advisory.
Apr 6, 2026
goshs fixes two path traversal flaws in version 2.0.0-beta.3
The goshs project fixed two path traversal vulnerabilities affecting versions prior to 2.0.0-beta.3: one in PUT upload handling in httpserver/updown.go and another in the POST multipart upload directory handling. Both issues could allow unauthorized file access or modification due to missing path sanitization.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
goshs Flaws Enable Auth Bypass and GitHub Token Leakage
Two high-severity vulnerabilities were disclosed in **goshs**, a Go-based SimpleHTTPServer, affecting multiple pre-release and stable versions. `CVE-2026-34581` impacts versions `1.1.0` through before `2.0.0-beta.2` and allows attackers to abuse the Share Token feature to bypass download restrictions. The flaw can expose broader goshs functionality beyond intended file access controls and may lead to **code execution**. The issue is classified as `CWE-288` and was fixed in `2.0.0-beta.2`. A second flaw, `CVE-2026-40903`, affects goshs versions before `2.0.0-beta.6` and is described as an **ArtiPACKED** vulnerability that can leak `GITHUB_TOKEN` values through GitHub Actions workflow artifacts, even when the token does not appear in repository source code. The issue is mapped to `CWE-829` and carries high confidentiality and integrity impact, extending concern from application access control to CI/CD credential exposure. The vendor lists `2.0.0-beta.6` as the fix version, and a GitHub security advisory has been published.
1 weeks ago
Critical Root Access and Arbitrary File Write Flaws Disclosed in Network-Exposed Systems
Two high-severity vulnerabilities were disclosed affecting exposed application and device management surfaces, including a flaw that can give attackers **root access** and another that enables **arbitrary file write** through path traversal. **CVE-2026-3587** describes an unauthenticated remote attack path in a hidden CLI function that lets an attacker escape a restricted prompt and gain root access to the underlying Linux operating system, potentially leading to full device compromise. The issue was mapped to `CWE-912` and assigned a `CVSS v3.1` score vector of `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`, with CERT VDE publishing advisory `VDE-2026-020`. A separate vulnerability, **CVE-2026-5027**, affects Langflow's `POST /api/v2/files` endpoint, where improper sanitization of the multipart `filename` parameter allows path traversal using `../` sequences. An authenticated attacker can exploit the bug to write files to arbitrary filesystem locations, creating a route to compromise confidentiality, integrity, and availability. The flaw was classified as `CWE-22`, carries the `CVSS v3.1` vector `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, and is referenced in Tenable advisory `TRA-2026-26`.
1 months ago
Remote Code Execution via File Overwrite in Gogs PutContents API
A critical vulnerability, tracked as CVE-2025-8110, has been identified in the PutContents API of the *Gogs* self-hosted Git service. The flaw arises from improper handling of symbolic links, allowing remote, authenticated attackers to overwrite arbitrary files on the server. Successful exploitation enables attackers to execute arbitrary code with the privileges of the Gogs server process, potentially leading to full system compromise. Security researchers have reported that this vulnerability is being actively exploited in the wild, and it affects Gogs versions 0.13.3 and prior. Currently, there is no patched version available to address CVE-2025-8110. Administrators are advised to disable auto-registration of users and avoid exposing Gogs instances to the internet as temporary mitigations. Detection of vulnerable systems can be performed using specific queries to identify Gogs installations, such as searching for HTTP services with a known favicon hash. Organizations running Gogs should prioritize mitigation steps to reduce the risk of exploitation until an official fix is released.
1 months ago