Skip to main content

goshs EUVDEUVD-2026-27067

| CVE-2026-42091 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-04 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Patch available
May 04, 2026 - 19:17 EUVD
Source Code Evidence Fetched
May 04, 2026 - 18:03 vuln.today
Analysis Generated
May 04, 2026 - 18:03 vuln.today
Analysis Generated
May 04, 2026 - 17:45 vuln.today
CVE Published
May 04, 2026 - 17:24 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser - bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2.

AnalysisAI

goshs SimpleHTTPServer versions prior to 2.0.2 allow arbitrary file write via cross-origin PUT requests due to missing CSRF token validation on the PUT handler combined with permissive wildcard CORS headers. An attacker can trick a victim into visiting a malicious website which then writes arbitrary files to a goshs instance running on localhost or an internal network, bypassing network isolation protections. Publicly available exploit code exists, and the vulnerability affects all v2.x releases before 2.0.2 and all v1.x releases (no patch available for v1.x).

Technical ContextAI

goshs is a lightweight HTTP file server written in Go that supports file upload and download. The vulnerability exploits two weaknesses in the HTTP request handling layer: (1) the PUT upload handler in httpserver/updown.go was not updated to include CSRF token validation when a similar fix was applied to the POST handler during the prior CVE-2026-40883 remediation, and (2) the OPTIONS preflight handler in httpserver/server.go returns Access-Control-Allow-Origin: * unconditionally, which allows browsers executing JavaScript from any origin to pass CORS preflight checks and send PUT requests. The root cause is CWE-352 (Cross-Site Request Forgery), where the application fails to validate that file-upload requests originate from the legitimate goshs web interface rather than a third-party website. Combined, these weaknesses allow cross-origin file uploads: a victim's browser receives a CORS preflight (OPTIONS) response permitting PUT, then the actual PUT request proceeds without CSRF token verification, resulting in arbitrary file write to the goshs webroot.

RemediationAI

Upgrade goshs to version 2.0.2 or later immediately. The patch adds CSRF token validation to the PUT handler (httpserver/updown.go:19) to match the POST handler protection, and modifies CORS handling to only enforce CSRF checks in unauthenticated deployments (when basic auth is not configured). For users unable to upgrade immediately, enable HTTP Basic Authentication (goshs -b flag or equivalent) on all instances; this mitigates the vulnerability because browsers cannot attach credentials to CORS preflight requests, causing the preflight to fail and preventing the actual PUT request from reaching the server. However, basic auth adds authentication overhead and is a compensating control, not a complete fix - upgrade to 2.0.2 is the only reliable remediation. Users on v1.x (1.1.4 and earlier) must migrate to v2.0.2 as no patch is available for v1.x. See GitHub advisory https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm and release page https://github.com/patrickhener/goshs/releases/tag/v2.0.2.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-27067 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy