Skip to main content

Suse CVE-2026-40188

| EUVDEUVD-2026-21589 HIGH
Missing Write Protection for Parametric Data Values (CWE-1314)
2026-04-10 GitHub_M GHSA-2943-crp8-38xx
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:57 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.0-beta.4
EUVD ID Assigned
Apr 10, 2026 - 20:15 euvd
EUVD-2026-21589
Analysis Generated
Apr 10, 2026 - 20:15 vuln.today
CVE Published
Apr 10, 2026 - 19:43 nvd
HIGH 7.7

DescriptionGitHub Advisory

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

AnalysisAI

Path traversal in patrickhener goshs SFTP rename operation enables authenticated attackers to write files outside the configured root directory. Versions 1.0.7 through 2.0.0-beta.3 fail to sanitize destination paths in SFTP rename commands, allowing low-privileged users to overwrite arbitrary filesystem locations with network access. High integrity impact with scope change indicates potential host compromise. No public exploit identified at time of analysis.

Technical ContextAI

CWE-1314 path traversal via incomplete input sanitization. The SFTP rename command implementation applies path normalization exclusively to source arguments while passing destination paths unchecked, enabling directory traversal sequences (../) to escape the chroot-style containment. CVSS scope change reflects potential impact beyond the vulnerable component's security boundary.

RemediationAI

Vendor-released patch: upgrade to goshs version 2.0.0-beta.4 or later, which implements destination path sanitization in SFTP rename operations. The fix is implemented in commit 141c188ce270ffbec087844a50e5e695b7da7744. If immediate upgrade is infeasible, disable SFTP functionality or restrict SFTP access to fully trusted users until patching. Verify no unauthorized files exist outside the intended root directory post-remediation. Full advisory available at https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx and release notes at https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4. EPSS scoring indicates low observed exploitation activity.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-40188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy