CVE-2026-40188

Published April 10th, 2026

View on NVD ↗

CVSS v3

7.7

HIGH

CVSS v2

N/A

Affected

PROJECT

Description

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

goshs-labs/goshs

Feature-rich single-binary file server for red teamers and developers. HTTP/S · WebDAV · FTP/SFTP · SMB · LDAP/S · NTLM hash capture · DNS/SMTP callbacks · TLS · Auth · Share links. A powerful python3 -m http.server replacement.

GitHub

878