CVE-2026-35392: Goshs Path Traversal Vulnerability (CRITICAL)
Platform
go
Component
goshs
Fixed in
2.0.0-beta.3
CVE-2026-35392 describes a Path Traversal vulnerability affecting the github.com/patrickhener/goshs component. The vulnerability arises from the lack of path sanitization during PUT uploads, allowing attackers to write files to arbitrary locations on the server. This issue impacts the default configuration and has been assigned a CVSS score of 9.8 (CRITICAL). The vulnerability is fixed in version 1.1.5-0.20260401172448-237f3af891a9.
How to fix
Actualizar goshs a la versión 2.0.0-beta.3 o superior para mitigar la vulnerabilidad de recorrido de directorio. Esta versión incluye una validación adecuada de la ruta para prevenir el acceso no autorizado a archivos.
Frequently asked questions
What is CVE-2026-35392?
CVE-2026-35392 is a critical Path Traversal vulnerability in github.com/patrickhener/goshs. It allows attackers to write files to arbitrary locations due to missing path sanitization during PUT requests.
Am I affected by CVE-2026-35392?
You are affected if you are using a version of github.com/patrickhener/goshs prior to 1.1.5-0.20260401172448-237f3af891a9 with the default configuration, as the PUT upload functionality lacks proper path sanitization.
How do I fix CVE-2026-35392?
To fix CVE-2026-35392, upgrade your github.com/patrickhener/goshs installation to version 1.1.5-0.20260401172448-237f3af891a9 or later. This version includes the necessary path sanitization to prevent path traversal attacks.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free