Platform
go
Component
github.com/patrickhener/goshs
Fixed in
2.0.1
1.1.5-0.20260401172448-237f3af891a9
CVE-2026-35392 describes a critical Path Traversal vulnerability discovered in goshs, a Go implementation of the SSH File System Protocol. This flaw allows attackers to upload arbitrary files to the server without authentication or any path sanitization. The vulnerability affects versions prior to 1.1.5-0.20260401172448-237f3af891a9, and a patch has been released to address the issue.
The impact of this vulnerability is severe. An attacker can leverage the missing path sanitization in the PUT upload handler to write arbitrary files to the server's file system. This could lead to complete system compromise, including overwriting critical configuration files, injecting malicious code, or gaining remote code execution. The lack of authentication makes exploitation trivial, significantly expanding the potential attack surface. Successful exploitation could allow an attacker to gain persistent access and control over the affected system.
This vulnerability is considered high probability due to its ease of exploitation and the lack of authentication requirements. Public proof-of-concept code is likely to emerge quickly given the simplicity of the attack vector. The vulnerability was publicly disclosed on 2026-04-03. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade to version 1.1.5-0.20260401172448-237f3af891a9 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block PUT requests containing path traversal sequences (e.g., ..). Additionally, restrict access to the / endpoint where the upload functionality resides, limiting access to trusted networks or users. Monitor system logs for suspicious file creation or modification activity, particularly in unexpected locations.
Update goshs to version 2.0.0-beta.3 or higher to mitigate the path traversal vulnerability. This version includes proper path sanitization to prevent unauthorized file access.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35392 is a critical vulnerability in goshs allowing attackers to upload arbitrary files due to missing path sanitization in the PUT upload handler.
You are affected if you are using goshs version prior to 1.1.5-0.20260401172448-237f3af891a9 and have not applied the patch.
Upgrade to version 1.1.5-0.20260401172448-237f3af891a9 or later. As a temporary workaround, implement a WAF rule to block malicious PUT requests.
While there's no confirmed active exploitation at this time, the ease of exploitation suggests it's likely to be targeted soon.
Refer to the goshs project's repository and release notes for the official advisory and patch details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.