Vulnerabilities

CVE-2026-40188

by Fred · 10/04/2026

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

More information : https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744

Similar

Tags: Cybersecurity Alert