Goshs

The goshs application is vulnerable to unauthenticated path traversal (CVE-2026-35471) due to a missing return statement in the `deleteFile()` function, allowing attackers to delete arbitrary files and directories using a crafted GET request.

Goshs is vulnerable to an authentication bypass via share tokens, allowing attackers to bypass authentication checks by using a valid share token in conjunction with other functionalities like WebSocket connections to gain unauthorized access and execute arbitrary commands on the server.