Nixpkgs security tracker

Untriaged

Permalink CVE-2026-34581

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 1 week, 5 days ago

goshs has Auth Bypass via Share Token

goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g x_refsource_CONFIRM
https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216 x_refsource_MISC
https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2 x_refsource_MISC

Affected products

goshs

==>= 1.1.0, < 2.0.0-beta.2

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 1.1.4
- nixpkgs-unstable 1.1.4
- nixos-unstable-small 1.1.4
nixos-25.11 1.1.2
- nixos-25.11-small 1.1.2
- nixpkgs-25.11-darwin 1.1.2

Package maintainers

@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@SEIAROTg SEIAROTg
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers