CVE-2026-35392: Critical Path Traversal in goshs Go HTTP Server

Executive Summary

A critical path traversal vulnerability (CVE-2026-35392) has been disclosed in goshs, a lightweight SimpleHTTPServer replacement written in Go. The vulnerability exists in the PUT file upload handler (httpserver/updown.go) and allows unauthenticated remote attackers to write files to arbitrary locations on the server filesystem by crafting a malicious upload path.

CVSS Score: 9.8 (Critical)

The flaw is fixed in goshs version 2.0.0-beta.3. All prior versions are affected.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-35392
CVSS Score	9.8 (Critical)
Type	Path Traversal (CWE-22)
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Published	2026-04-06
Fixed In	goshs 2.0.0-beta.3

Affected Products

Product	Affected Versions	Status
goshs (SimpleHTTPServer for Go)	All versions prior to 2.0.0-beta.3	Vulnerable
goshs 2.0.0-beta.3+	2.0.0-beta.3 and later	Patched

goshs is commonly used as a drop-in development HTTP server and quick file-sharing utility. It is popular among developers and penetration testers for its ease of deployment and Go-native simplicity.

Technical Details

Root Cause

The vulnerability resides in httpserver/updown.go, which handles the HTTP PUT method for file uploads. The path provided in the PUT request URL is passed to file system operations without sanitization or normalization. This means an attacker can supply path traversal sequences such as ../../../etc/cron.d/backdoor in the request URL, causing the server to write attacker-controlled content to directories well outside the intended upload root.

Attack Chain

1. Attacker identifies an exposed goshs instance (default: TCP 8080)
2. Attacker crafts a PUT request with a path traversal payload:
     PUT /../../etc/cron.d/malicious HTTP/1.1
     Host: target:8080
     Content-Length: <n>
 
     [malicious cron payload]
3. goshs resolves the path without sanitization
4. File is written to /etc/cron.d/malicious
5. Cron executes the payload → RCE as the goshs process user

Why CVSS 9.8?

The combination of no authentication, no user interaction, network-reachable attack vector, and low complexity — combined with the potential for full file-system writes leading to code execution — produces a near-maximum CVSS base score. Any location writable by the goshs process is a potential target for code execution via cron jobs, authorized_keys injection, or web shell placement.

Impact Assessment

Impact Area	Description
Arbitrary File Write	Attacker can write to any path accessible by the goshs process
Remote Code Execution	File write to cron, authorized_keys, or web root enables RCE
Data Exfiltration	Attacker may pivot to read sensitive files after establishing a foothold
Persistence	Backdoors can be written to system startup locations
Supply Chain Risk	goshs used in CI/CD and dev environments could be weaponized

Recommendations

Immediate Actions

Upgrade goshs to 2.0.0-beta.3 or later — the patched release includes proper path sanitization in the PUT handler.
Audit running goshs instances — identify all systems running goshs in your environment and verify the version.
Disable PUT support if file upload functionality is not required.
Restrict network access to goshs instances — do not expose goshs to untrusted networks.

Network-Level Mitigations

- Block external access to goshs service ports (default 8080) at perimeter firewall
- Enforce host-based firewall rules allowing only trusted source IPs
- Deploy WAF rules to detect path traversal sequences (../) in PUT requests
- Monitor for unexpected file creation events outside the intended upload directory

Detection Indicators

Indicator	Description
PUT requests containing `../` or `%2e%2e`	Path traversal attempt
Unexpected file creation outside upload root	Successful exploitation
New cron jobs or SSH authorized_keys modifications	Post-exploitation persistence
Unexpected processes spawned by cron or shell	Code execution via written payload

References

Executive Summary

CVSS Score: 9.8 (Critical)

The flaw is fixed in goshs version 2.0.0-beta.3. All prior versions are affected.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-35392
CVSS Score	9.8 (Critical)
Type	Path Traversal (CWE-22)
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Published	2026-04-06
Fixed In	goshs 2.0.0-beta.3

Affected Products

Product	Affected Versions	Status
goshs (SimpleHTTPServer for Go)	All versions prior to 2.0.0-beta.3	Vulnerable
goshs 2.0.0-beta.3+	2.0.0-beta.3 and later	Patched

goshs is commonly used as a drop-in development HTTP server and quick file-sharing utility. It is popular among developers and penetration testers for its ease of deployment and Go-native simplicity.

Technical Details

Root Cause

Attack Chain

1. Attacker identifies an exposed goshs instance (default: TCP 8080)
2. Attacker crafts a PUT request with a path traversal payload:
     PUT /../../etc/cron.d/malicious HTTP/1.1
     Host: target:8080
     Content-Length: <n>
 
     [malicious cron payload]
3. goshs resolves the path without sanitization
4. File is written to /etc/cron.d/malicious
5. Cron executes the payload → RCE as the goshs process user

Why CVSS 9.8?

Impact Assessment

Impact Area	Description
Arbitrary File Write	Attacker can write to any path accessible by the goshs process
Remote Code Execution	File write to cron, authorized_keys, or web root enables RCE
Data Exfiltration	Attacker may pivot to read sensitive files after establishing a foothold
Persistence	Backdoors can be written to system startup locations
Supply Chain Risk	goshs used in CI/CD and dev environments could be weaponized

Recommendations

Immediate Actions

Upgrade goshs to 2.0.0-beta.3 or later — the patched release includes proper path sanitization in the PUT handler.
Audit running goshs instances — identify all systems running goshs in your environment and verify the version.
Disable PUT support if file upload functionality is not required.
Restrict network access to goshs instances — do not expose goshs to untrusted networks.

Network-Level Mitigations

- Block external access to goshs service ports (default 8080) at perimeter firewall
- Enforce host-based firewall rules allowing only trusted source IPs
- Deploy WAF rules to detect path traversal sequences (../) in PUT requests
- Monitor for unexpected file creation events outside the intended upload directory

Detection Indicators

Indicator	Description
PUT requests containing `../` or `%2e%2e`	Path traversal attempt
Unexpected file creation outside upload root	Successful exploitation
New cron jobs or SSH authorized_keys modifications	Post-exploitation persistence
Unexpected processes spawned by cron or shell	Code execution via written payload

CVE-2026-35392: Critical Path Traversal in goshs Go HTTP Server

Affected Products

Executive Summary

Vulnerability Overview

Affected Products

Technical Details

Root Cause

Attack Chain

Why CVSS 9.8?

Impact Assessment

Recommendations

Immediate Actions

Network-Level Mitigations

Detection Indicators

References

CVE-2026-5637: SQL Injection in projectworlds Car Rental System 1.0

CVE-2026-26477: DokuWiki media_upload_xhr() Denial of Service

CVE-2026-33615: Critical Unauthenticated SQL Injection in setinfo Endpoint

CVE-2026-35392: Critical Path Traversal in goshs Go HTTP Server

Affected Products

Executive Summary

Vulnerability Overview

Affected Products

Technical Details

Root Cause

Attack Chain

Why CVSS 9.8?

Impact Assessment

Recommendations

Immediate Actions

Network-Level Mitigations

Detection Indicators

References

CVE-2026-5637: SQL Injection in projectworlds Car Rental System 1.0

CVE-2026-26477: DokuWiki media_upload_xhr() Denial of Service

CVE-2026-33615: Critical Unauthenticated SQL Injection in setinfo Endpoint