CVE-2026-35393: Path Traversal in patrickhener/goshs
Platform
go
Component
goshs
Fixed in
2.0.0-beta.3
CVE-2026-35393 describes a path traversal vulnerability affecting the github.com/patrickhener/goshs library. The vulnerability arises from the lack of sanitization of the target directory derived from `req.URL.Path` during POST multipart uploads, potentially allowing attackers to write files to arbitrary locations on the server. This issue affects the default configuration of goshs. Version 1.1.5-0.20260401172448-237f3af891a9 contains the fix.
How to fix
Actualice goshs a la versión 2.0.0-beta.3 o superior para mitigar la vulnerabilidad de recorrido de ruta. Esta versión corrige la falta de saneamiento en el directorio de carga de archivos multipart POST, evitando que atacantes accedan a archivos fuera del directorio previsto.
Frequently asked questions
What is CVE-2026-35393?
CVE-2026-35393 is a path traversal vulnerability in the github.com/patrickhener/goshs library that allows writing files to arbitrary locations due to unsanitized directory handling during file uploads.
Am I affected by CVE-2026-35393?
You are potentially affected if you are using the github.com/patrickhener/goshs library and have not updated to version 1.1.5-0.20260401172448-237f3af891a9 or later.
How do I fix CVE-2026-35393?
To fix CVE-2026-35393, upgrade your github.com/patrickhener/goshs library to version 1.1.5-0.20260401172448-237f3af891a9 or a later version that includes the necessary security patch.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free