Description

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2.

INFO

Published Date :

2026-05-04T17:24:47.890Z

Last Modified :

2026-05-05T14:14:46.121Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-42091 vulnerability.

Vendors Products
Patrickhener
  • Goshs
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-42091.

URL Resource
https://github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32 cve-icon cve-icon
https://github.com/patrickhener/goshs/releases/tag/v2.0.2 cve-icon cve-icon
https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact