CVE-2025-46816CRITICAL 9.4EPSS p44.2%

CVE-2025-46816CVE-2025-46816

Description

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

Scoring

CVSS 3.09.4 (CRITICAL)
VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS0.60% probability of exploitation · percentile 44.2% · 2026-06-18T12:00:27Z
Published2025-05-06
Last modified2026-04-15

Underlying weaknesses· 2

CWE-77CWE-284

References

  1. https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa
  2. https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm

2

TypeTargetConfidenceTier
WeaknessImproper Access Controlcwe-2840%live
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40884
CVE
CVE-2026-40883
CVE
CVE-2026-40885
CVE
CVE-2026-34581
CVE
CVE-2026-40189
CVE
CVE-2026-35392
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.