Nixpkgs security tracker

Untriaged

Permalink CVE-2026-40188

7.7 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

created 4 days, 7 hours ago

goshs is Missing Write Protection for Parametric Data Values

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx x_refsource_CONFIRM
https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744 x_refsource_MISC
https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4 x_refsource_MISC

Affected products

goshs

==>= 1.0.7, < 2.0.0-beta.4

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 1.1.4
- nixpkgs-unstable 2.0.0-beta.3
- nixos-unstable-small 2.0.0-beta.3
nixos-25.11 1.1.2
- nixos-25.11-small 2.0.0-beta.3
- nixpkgs-25.11-darwin 2.0.0-beta.3

Package maintainers

@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
@SEIAROTg SEIAROTg
@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers