CVE-2026-40876HIGH 8.8EPSS p34.9%

CVE-2026-40876CVE-2026-40876

Description

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.44% probability of exploitation · percentile 34.9% · 2026-06-19T12:03:05Z
Published2026-04-21
Last modified2026-04-24

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824
  2. https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40884
CVE
CVE-2026-40883
CVE
CVE-2026-40885
CVE
CVE-2026-35392
CVE
CVE-2026-40189
CVE
CVE-2026-35393
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.