{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35392", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T17:03:42.074Z", "datePublished": "2026-04-06T20:48:56.647Z", "dateUpdated": "2026-04-07T16:19:28.746Z"}, "containers": {"cna": {"title": "goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "references": [{"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64"}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"version": "< 2.0.0-beta.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:48:56.647Z"}, "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3."}], "source": {"advisory": "GHSA-g8mv-vp7j-qp64", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T16:19:16.196298Z", "id": "CVE-2026-35392", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:19:28.746Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35392", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T16:19:16.196298Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:19:25.918Z"}}], "cna": {"title": "goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload", "source": {"advisory": "GHSA-g8mv-vp7j-qp64", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"status": "affected", "version": "< 2.0.0-beta.3"}]}], "references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64", "name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:48:56.647Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35392", "state": "PUBLISHED", "dateUpdated": "2026-04-07T16:19:28.746Z", "dateReserved": "2026-04-02T17:03:42.074Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T20:48:56.647Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goshs:goshs:*:*:*:*:*:go:*:*", "matchCriteriaId": "471EA45E-3052-469D-B301-4D92FB187228", "versionEndExcluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta1:*:*:*:go:*:*", "matchCriteriaId": "047ECFC3-056F-4FAC-9B64-5F7C120CFFE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta2:*:*:*:go:*:*", "matchCriteriaId": "6EA86AD2-EE6D-4427-9434-A9A49A4D38F9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3."}], "id": "CVE-2026-35392", "lastModified": "2026-04-09T21:20:20.510", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T21:16:21.013", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0-beta.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "goshs", "source": "cna", "vendor": "patrickhener"}, "product": "goshs", "vendor": "patrickhener"}], "analysis": {"en": {"generated_at": "2026-04-07T02:27:43.645133+00:00", "value": {"mitigation_remediation": ["Upgrade goshs to version 2.0.0-beta.3 or later to eliminate the path traversal issue in the PUT upload feature.", "If an upgrade is not immediately possible, configure the server or firewall to restrict the HTTP PUT method to trusted IP addresses or disable the method entirely to prevent unauthorized file uploads.", "Implement network\u2011level hardening such as firewall rules that limit access to the server\u2019s HTTP port, and enforce authentication on any remaining PUT endpoints to reduce exposure."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Write (Path Traversal)"}, "threat_synthesis": {"affected_systems": "The affected product is goshs, maintained by patrickhener. All releases older than 2.0.0-beta.3 lack the necessary path\u2011sanitization logic in the upload routine. The issue was addressed in version 2.0.0-beta.3 and later releases. No other vendors or product lines are listed as affected.", "description_and_impact": "goshs, a lightweight HTTP server written in Go, contains a flaw in its PUT upload handler that fails to sanitize the supplied pathname. As a result, a client can issue a crafted HTTP PUT request that instructs the server to write a file to any path that the server process can access. This allows an attacker to create new files or overwrite existing ones, potentially altering configuration files, adding malicious scripts, or otherwise modifying the server\u2019s filesystem in a way that could compromise the integrity of the application or host.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.8, categorizing it as critical. Because the only requirement for exploitation is a crafted HTTP PUT request, it can be performed from any host that can reach the server\u2019s HTTP endpoint. The lack of a known EPSS value and absence from the KEV catalog suggest it has not yet been widely exploited, but the high score and ease of exploitation give it a high likelihood of real\u2011world impact for exposed instances."}}}}, "created": "2026-04-07T06:54:09.645363+00:00", "updated": "2026-04-07T09:37:09.918649+00:00", "vendors": ["patrickhener", "patrickhener$PRODUCT$goshs"]}