Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-42091
6.5 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): High (H)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS
goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2.
References
-
https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm x_refsource_CONFIRM
-
https://github.com/patrickhener/goshs/releases/tag/v2.0.2 x_refsource_MISC
Affected products
goshs
- ==< 2.0.2
Matching in nixpkgs
pkgs.goshs
Simple, yet feature-rich web server written in Go
-
nixos-25.11 2.0.0-beta.3
- nixos-25.11-small 2.0.0-beta.3
- nixpkgs-25.11-darwin 2.0.0-beta.3
Package maintainers
-
@SEIAROTg SEIAROTg
-
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>