CVE-2026-40188

EUVD-2026-21589
goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.7 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744
https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4
https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx