EUVD-2026-21589
GHSA-2943-crp8-38xx
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
3Description
goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
Analysis
Path traversal in patrickhener goshs SFTP rename operation enables authenticated attackers to write files outside the configured root directory. Versions 1.0.7 through 2.0.0-beta.3 fail to sanitize destination paths in SFTP rename commands, allowing low-privileged users to overwrite arbitrary filesystem locations with network access. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: identify all systems running goshs versions 1.0.7-2.0.0-beta.3 and restrict SFTP access to trusted users only via firewall or network segmentation. Within 7 days: disable goshs SFTP rename functionality if operationally feasible, or implement strict OS-level file permissions and SELinux/AppArmor policies to prevent writes outside designated directories. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today