Platform
go
Component
goshs
Fixed in
1.0.8
CVE-2026-40188 describes a missing write protection vulnerability in goshs, a Go library. This flaw allows attackers to potentially modify parametric data values without proper authorization, leading to unexpected behavior or data corruption. The vulnerability affects versions 1.0.7 through 2.0.0-beta.3. A fix is available in version 2.0.0-beta.4.
The core issue lies in the absence of write protection mechanisms for parametric data values within goshs. An attacker who can exploit this vulnerability could manipulate these values, potentially altering the behavior of applications that rely on goshs. This could lead to data corruption, denial of service, or even privilege escalation, depending on how the data is used within the application. The impact is amplified if the application processes user-supplied data without proper validation after it has been modified via this vulnerability. While a direct remote code execution (RCE) is unlikely, the ability to modify critical data can have severe consequences.
This CVE was published on 2026-04-10. There is currently no public proof-of-concept (POC) available, and no confirmed exploitation campaigns have been observed. The vulnerability's severity is rated as HIGH (CVSS 7.7). It is not currently listed on the CISA KEV catalog. The probability of exploitation is considered low to medium given the lack of public exploits, but the potential impact warrants attention.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 2.0.0-beta.4 or later, which includes the necessary write protection fixes. If upgrading is not immediately feasible, consider implementing input validation and sanitization on any data processed by goshs to minimize the potential impact of unauthorized modifications. While a direct WAF rule is unlikely to be effective, carefully reviewing and restricting access to the application's API endpoints that utilize goshs can help reduce the attack surface. After upgrading, confirm the fix by attempting to modify the parametric data values through the application's interface or API and verifying that the changes are rejected.
Update goshs to version 2.0.0-beta.4 or higher to mitigate the vulnerability. This version corrects the incorrect sanitization of the destination path in the SFTP rename command, preventing the possibility of writing files outside the root directory.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40188 is a HIGH severity vulnerability in goshs versions 1.0.7 through 2.0.0-beta.3 where missing write protection allows unauthorized modification of parametric data values.
You are affected if your application uses goshs versions 1.0.7–>= 1.0.7, < 2.0.0-beta.4. Check your dependencies to determine if you are using a vulnerable version.
Upgrade to version 2.0.0-beta.4 or later to resolve the vulnerability. If immediate upgrade is not possible, implement strict input validation and sanitization.
Currently, there are no confirmed exploitation campaigns or publicly available proof-of-concept exploits for CVE-2026-40188.
Refer to the goshs project's repository and release notes for the official advisory and details on the fix: [https://github.com/patrickhener/goshs](https://github.com/patrickhener/goshs)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.