Tag
The goshs SimpleHTTPServer, from version 1.0.7 to before 2.0.0-beta.4, is vulnerable to path traversal (CVE-2026-40188) due to insufficient sanitization of the destination path in the SFTP rename command, potentially allowing attackers with low privileges to write files outside the intended root directory.