Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser - bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2.
AnalysisAI
goshs SimpleHTTPServer versions prior to 2.0.2 allow arbitrary file write via cross-origin PUT requests due to missing CSRF token validation on the PUT handler combined with permissive wildcard CORS headers. An attacker can trick a victim into visiting a malicious website which then writes arbitrary files to a goshs instance running on localhost or an internal network, bypassing network isolation protections. Publicly available exploit code exists, and the vulnerability affects all v2.x releases before 2.0.2 and all v1.x releases (no patch available for v1.x).
Technical ContextAI
goshs is a lightweight HTTP file server written in Go that supports file upload and download. The vulnerability exploits two weaknesses in the HTTP request handling layer: (1) the PUT upload handler in httpserver/updown.go was not updated to include CSRF token validation when a similar fix was applied to the POST handler during the prior CVE-2026-40883 remediation, and (2) the OPTIONS preflight handler in httpserver/server.go returns Access-Control-Allow-Origin: * unconditionally, which allows browsers executing JavaScript from any origin to pass CORS preflight checks and send PUT requests. The root cause is CWE-352 (Cross-Site Request Forgery), where the application fails to validate that file-upload requests originate from the legitimate goshs web interface rather than a third-party website. Combined, these weaknesses allow cross-origin file uploads: a victim's browser receives a CORS preflight (OPTIONS) response permitting PUT, then the actual PUT request proceeds without CSRF token verification, resulting in arbitrary file write to the goshs webroot.
RemediationAI
Upgrade goshs to version 2.0.2 or later immediately. The patch adds CSRF token validation to the PUT handler (httpserver/updown.go:19) to match the POST handler protection, and modifies CORS handling to only enforce CSRF checks in unauthenticated deployments (when basic auth is not configured). For users unable to upgrade immediately, enable HTTP Basic Authentication (goshs -b flag or equivalent) on all instances; this mitigates the vulnerability because browsers cannot attach credentials to CORS preflight requests, causing the preflight to fail and preventing the actual PUT request from reaching the server. However, basic auth adds authentication overhead and is a compensating control, not a complete fix - upgrade to 2.0.2 is the only reliable remediation. Users on v1.x (1.1.4 and earlier) must migrate to v2.0.2 as no patch is available for v1.x. See GitHub advisory https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm and release page https://github.com/patrickhener/goshs/releases/tag/v2.0.2.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27067