Suse
CVE-2025-46816
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function dispatchReadPump does not checks the option cli -c, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.
AnalysisAI
goshs is a SimpleHTTPServer written in Go. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function dispatchReadPump does not checks the option cli -c, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue. Version information: version 0.3.4.
Affected ProductsAI
Go. Starting in version 0.3.4 and.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today