Plattform
go
Komponente
goshs
Behoben in
2.0.1
2.0.0-beta.6
CVE-2026-40883 describes a cross-site request forgery (CSRF) vulnerability discovered in goshs, a Go-based server. This flaw allows an attacker to induce authenticated users to perform unintended actions, such as deleting files or creating directories, without their knowledge. The vulnerability affects versions 2.0.0-beta.4 through 2.0.0-beta.5, and a fix is available in version 2.0.0-beta.6.
The primary impact of this CSRF vulnerability is the potential for unauthorized modification of the goshs server's state. An attacker could craft malicious links or embed them in websites to trick authenticated users into unknowingly triggering actions. For example, a user browsing a compromised website could inadvertently execute a ?mkdir request, creating a new directory on the goshs server. Similarly, a ?delete request could lead to unintended data loss. The blast radius is limited to the scope of actions accessible through the vulnerable GET routes, but the consequences of those actions (file creation/deletion) can be significant.
As of the public disclosure date (2026-04-21), there is no indication of this vulnerability being actively exploited in the wild. No public proof-of-concept (POC) code has been released. The EPSS score is currently unavailable, so the probability of exploitation remains uncertain. This vulnerability is not listed on the CISA KEV catalog at this time.
Organizations and individuals using goshs version 2.0.0-beta.4 through 2.0.0-beta.5, particularly those deploying goshs in automated environments or as part of configuration management systems, are at significant risk. Shared hosting environments where multiple users share a goshs instance are also particularly vulnerable.
• linux / server:
ps aux | grep goshs• generic web:
curl -I https://your-goshs-server.com/?mkdir
curl -I https://your-goshs-server.com/?deleteCheck access logs for unusual GET requests to / with parameters like ?mkdir or ?delete originating from unexpected IP addresses.
disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
The recommended mitigation is to immediately upgrade to goshs version 2.0.0-beta.6, which addresses the CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a temporary workaround by adding CSRF protection to the vulnerable HTTP GET routes. This could involve implementing Origin or Referer header validation to ensure requests originate from trusted sources. Additionally, consider implementing a WAF rule to block suspicious GET requests containing ?mkdir or ?delete parameters. After upgrading, confirm the fix by attempting to trigger the vulnerable actions from a different browser session or incognito window to verify that the requests are now blocked.
Aktualisieren Sie goshs auf Version 2.0.0-beta.6 oder höher, um die CSRF-Schwachstelle zu beheben. Diese Version implementiert geeignete Validierungen, um destruktive Aktionen über state-changing GET Routen zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40883 is a cross-site request forgery (CSRF) vulnerability affecting goshs versions 2.0.0-beta.4 through 2.0.0-beta.5, allowing attackers to trigger destructive actions.
You are affected if you are running goshs version 2.0.0-beta.4 or 2.0.0-beta.5. Check your version and upgrade immediately.
Upgrade to goshs version 2.0.0-beta.6 or later to resolve the CSRF vulnerability. Consider WAF rules as a temporary mitigation.
There is currently no confirmed active exploitation, but the vulnerability's simplicity suggests potential for future attacks.
Refer to the goshs project's official communication channels and release notes for the advisory related to CVE-2026-40883.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.