Platform
go
Component
goshs
Fixed in
2.0.1
CVE-2026-35393 describes a critical Path Traversal vulnerability affecting the goshs SimpleHTTPServer. This flaw allows attackers to potentially read sensitive files on the server by exploiting insufficient sanitization of the multipart upload directory. Versions of goshs prior to 2.0.0-beta.3 are vulnerable, and a fix is available in version 2.0.0-beta.3.
The vulnerability lies in the handling of multipart file uploads within the goshs server. An attacker can craft a malicious POST request with a carefully constructed filename that includes path traversal sequences (e.g., ../../../../etc/passwd). If the server doesn't properly sanitize the uploaded filename, it could be written to an arbitrary location on the filesystem. This allows an attacker to read sensitive files, potentially including configuration files, source code, or even system files containing credentials. The blast radius extends to any data accessible on the server's filesystem, making this a high-severity risk.
This vulnerability was publicly disclosed on 2026-04-06. There is currently no indication of active exploitation campaigns targeting this vulnerability. No Proof-of-Concept (PoC) code has been publicly released as of this writing. The CVSS score of 9.8 reflects the critical severity and ease of exploitation.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35393 is to immediately upgrade to goshs version 2.0.0-beta.3 or later, which includes the necessary sanitization fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences in the filename. Additionally, restrict file upload permissions to the minimum necessary and implement strict input validation on all file uploads. Regularly review server logs for unusual file access patterns.
Update goshs to version 2.0.0-beta.3 or higher to mitigate the path traversal vulnerability. This version corrects the lack of sanitization in the POST multipart upload directory, preventing unauthorized file access.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35393 is a critical vulnerability in goshs where attackers can read arbitrary files due to insufficient sanitization of the multipart upload directory. This allows access to sensitive data on the server.
You are affected if you are using goshs versions 0.0.0 through 2.0.0-beta.2. Versions prior to 2.0.0-beta.3 are vulnerable to this Path Traversal attack.
Upgrade to goshs version 2.0.0-beta.3 or later. This version includes the necessary fixes to prevent the Path Traversal vulnerability. Consider WAF rules as a temporary workaround.
As of now, there is no confirmed evidence of active exploitation campaigns targeting CVE-2026-35393. However, the vulnerability's critical severity warrants immediate attention and remediation.
Refer to the goshs project's release notes or GitHub repository for the official advisory and details on the fix. Check the project's website for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.