{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40188", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T20:59:17.620Z", "datePublished": "2026-04-10T19:43:45.197Z", "dateUpdated": "2026-04-13T15:35:32.574Z"}, "containers": {"cna": {"title": "goshs is Missing Write Protection for Parametric Data Values", "problemTypes": [{"descriptions": [{"cweId": "CWE-1314", "lang": "en", "description": "CWE-1314: Missing Write Protection for Parametric Data Values", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx"}, {"name": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744", "tags": ["x_refsource_MISC"], "url": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744"}, {"name": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4"}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"version": ">= 1.0.7, < 2.0.0-beta.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:43:45.197Z"}, "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4."}], "source": {"advisory": "GHSA-2943-crp8-38xx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:28:25.294603Z", "id": "CVE-2026-40188", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:35:32.574Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40188", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:28:25.294603Z"}}}], "references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:23:28.408Z"}}], "cna": {"title": "goshs is Missing Write Protection for Parametric Data Values", "source": {"advisory": "GHSA-2943-crp8-38xx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"status": "affected", "version": ">= 1.0.7, < 2.0.0-beta.4"}]}], "references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx", "name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744", "name": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4", "name": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1314", "description": "CWE-1314: Missing Write Protection for Parametric Data Values"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:43:45.197Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40188", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:35:32.574Z", "dateReserved": "2026-04-09T20:59:17.620Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T19:43:45.197Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goshs:goshs:*:*:*:*:*:go:*:*", "matchCriteriaId": "1CC7DF19-7DCC-4ACF-B4ED-789E769A8B3F", "versionEndExcluding": "2.0.0", "versionStartIncluding": "1.0.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta1:*:*:*:go:*:*", "matchCriteriaId": "047ECFC3-056F-4FAC-9B64-5F7C120CFFE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta2:*:*:*:go:*:*", "matchCriteriaId": "6EA86AD2-EE6D-4427-9434-A9A49A4D38F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta3:*:*:*:go:*:*", "matchCriteriaId": "F44CF6A3-C1BC-4636-A1D5-1ED69A340FE3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4."}], "id": "CVE-2026-40188", "lastModified": "2026-04-14T20:15:28.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T20:16:23.733", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1314"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.7,2.0.0-beta.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "goshs", "source": "cna", "vendor": "patrickhener"}, "product": "goshs", "vendor": "patrickhener"}], "analysis": {"en": {"generated_at": "2026-04-14T21:53:24.766049+00:00", "value": {"mitigation_remediation": ["Upgrade to goshs version 2.0.0\u2011beta.4 or later", "Confirm the running version to ensure the patch is applied", "Restrict the SFTP service to trusted hosts or networks", "If an upgrade cannot be performed immediately, monitor the filesystem for unexpected writes outside the configured root"], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "The open\u2011source SimpleHTTPServer tool called goshs, maintained by Patrick Hener, is affected. Versions from 1.0.7 up to, but not including, 2.0.0\u2011beta.4 contain the flaw; the issue was addressed in release 2.0.0\u2011beta.4 and later revisions contain the fix.", "description_and_impact": "The SFTP rename command in goshs sanitizes only the source file path and leaves the destination path unsanitized. An attacker can provide a destination that resolves outside the configured root directory, allowing creation, modification, or deletion of files beyond the intended area. This capability can compromise the confidentiality, integrity, or availability of the server.", "risk_and_exploitability": "The flaw carries a CVSS score of 7.7, indicating a high impact. The EPSS score is below 1\u202f%, suggesting a low likelihood of exploitation in the wild. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The most probable attack path is via the SFTP rename operation, which requires network access to the SFTP service and typically valid authentication credentials. Limiting or monitoring the SFTP interface reduces the potential for abuse."}}}}, "created": "2026-04-13T12:42:40.331345+00:00", "updated": "2026-04-15T15:45:07.553028+00:00", "vendors": ["patrickhener", "patrickhener$PRODUCT$goshs"]}