{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/goshs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","file-deletion","goshs"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe goshs application, a simple static file server written in Go, is vulnerable to a path traversal vulnerability (CVE-2026-35471). This flaw exists within the \u003ccode\u003edeleteFile\u003c/code\u003e function (\u003ccode\u003ehttpserver/handler.go\u003c/code\u003e) due to a missing \u003ccode\u003ereturn\u003c/code\u003e statement after a check for path traversal attempts using \u003ccode\u003e..\u003c/code\u003e. Specifically, if a request contains double-encoded path traversal sequences (e.g., \u003ccode\u003e%252e%252e\u003c/code\u003e), the check fails to prevent subsequent file deletion. This vulnerability, present in versions prior to 1.1.5-0.20260401172448-237f3af891a9, allows an unauthenticated attacker to delete arbitrary files and directories on the server. The vulnerability affects default configurations of goshs, requiring no authentication or specific flags to be set.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a goshs instance running a vulnerable version (prior to 1.1.5-0.20260401172448-237f3af891a9).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a GET request to a file path containing double-encoded path traversal sequences (\u003ccode\u003e%252e%252e\u003c/code\u003e) to bypass the path traversal check in \u003ccode\u003edeleteFile()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe GET request includes the \u003ccode\u003e?delete\u003c/code\u003e parameter to trigger the file deletion logic.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edeleteFile()\u003c/code\u003e function receives the request and decodes the path, but the missing \u003ccode\u003ereturn\u003c/code\u003e after the path traversal check allows the execution to continue.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eos.RemoveAll()\u003c/code\u003e function is called with the manipulated path, leading to the deletion of arbitrary files or directories outside the intended webroot.\u003c/li\u003e\n\u003cli\u003eThe server responds with HTTP status code 200, even if the file deletion was successful or resulted in an error.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the deletion of the targeted file/directory.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability allows an unauthenticated attacker to delete any file or directory accessible to the goshs process. This could lead to data loss, system instability, or complete compromise of the server if critical system files are deleted. While the exact number of vulnerable instances is unknown, any organization using goshs versions prior to 1.1.5-0.20260401172448-237f3af891a9 is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to goshs version 1.1.5-0.20260401172448-237f3af891a9 or later to patch CVE-2026-35471.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect goshs Path Traversal Attempt via URL Encoding\u0026rdquo; to identify ongoing exploitation attempts based on double-encoded path traversal sequences in HTTP requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for GET requests containing double-encoded \u0026ldquo;..\u0026rdquo; sequences and the \u0026ldquo;?delete\u0026rdquo; parameter, indicative of exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-goshs-path-traversal/","summary":"The goshs application is vulnerable to unauthenticated path traversal (CVE-2026-35471) due to a missing return statement in the `deleteFile()` function, allowing attackers to delete arbitrary files and directories using a crafted GET request.","title":"goshs Unauthenticated Arbitrary File Deletion via Path Traversal","url":"https://feed.craftedsignal.io/briefs/2026-04-goshs-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","code-execution","goshs"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGoshs versions 1.1.0 and later are susceptible to an authentication bypass vulnerability (CVE-2026-34581) when using share tokens. The vulnerability resides in the \u003ccode\u003eBasicAuthMiddleware\u003c/code\u003e which prioritizes token validation over credential checks. This allows an attacker with a valid share token to bypass all authentication and access restricted functionalities such as directory listing, file deletion, clipboard access, WebSocket connections, and CLI command execution. A patch is available in version v2.0.0-beta.2. This vulnerability affects systems using goshs where authentication is enabled alongside the share token feature, potentially leading to unauthorized access and command execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA legitimate user creates a share token for a specific file using the goshs web interface or API.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a valid share token, either through social engineering or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the goshs server, including the valid share token as a query parameter (e.g., \u003ccode\u003e?token=\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eBasicAuthMiddleware\u003c/code\u003e in goshs checks for the \u003ccode\u003etoken\u003c/code\u003e parameter first and, upon finding a valid token, bypasses subsequent authentication checks.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a \u003ccode\u003ews\u003c/code\u003e parameter in the same request (e.g., \u003ccode\u003e?ws\u0026amp;token=\u003c/code\u003e), enabling a WebSocket connection.\u003c/li\u003e\n\u003cli\u003eUsing the established WebSocket connection, the attacker sends commands to the server by sending a JSON payload with \u003ccode\u003e{\u0026quot;type\u0026quot;:\u0026quot;command\u0026quot;,\u0026quot;Content\u0026quot;:\u0026quot;command_to_execute\u0026quot;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server executes the attacker-supplied command, such as \u003ccode\u003eid\u003c/code\u003e or \u003ccode\u003ecat /etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the output of the executed command via the WebSocket connection, effectively achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-34581) allows an attacker to bypass authentication, gain unauthorized access to the goshs server, and execute arbitrary commands. This can lead to complete system compromise, data exfiltration, and denial-of-service. Since the vulnerability exists in a widely used web file server, a successful attack could impact numerous organizations using goshs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to goshs version v2.0.0-beta.2 or later to patch CVE-2026-34581, as the vulnerability is fixed in that version (\u003ca href=\"https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2\"\u003ehttps://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing both \u003ccode\u003etoken\u003c/code\u003e and \u003ccode\u003ews\u003c/code\u003e parameters in the query string, which may indicate an attempt to exploit this vulnerability (see the detection rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual WebSocket connections originating from or destined to the goshs server (see the detection rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T20:58:48Z","date_published":"2026-04-01T20:58:48Z","id":"/briefs/2024-01-02-goshs-auth-bypass/","summary":"Goshs is vulnerable to an authentication bypass via share tokens, allowing attackers to bypass authentication checks by using a valid share token in conjunction with other functionalities like WebSocket connections to gain unauthorized access and execute arbitrary commands on the server.","title":"Goshs Authentication Bypass via Share Token","url":"https://feed.craftedsignal.io/briefs/2024-01-02-goshs-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Goshs","version":"https://jsonfeed.org/version/1.1"}