https://feed.craftedsignal.io/tags/goshs/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 04 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-goshs-path-traversal/Sat, 04 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-goshs-path-traversal/The goshs application is vulnerable to unauthenticated path traversal (CVE-2026-35471) due to a missing return statement in the `deleteFile()` function, allowing attackers to delete arbitrary files and directories using a crafted GET request.The goshs application, a simple static file server written in Go, is vulnerable to a path traversal vulnerability (CVE-2026-35471). This flaw exists within the deleteFile function (httpserver/handler.go) due to a missing return statement after a check for path traversal attempts using ... Specifically, if a request contains double-encoded path traversal sequences (e.g., %252e%252e), the check fails to prevent subsequent file deletion. This vulnerability, present in versions prior to 1.1.5-0.20260401172448-237f3af891a9, allows an unauthenticated attacker to delete arbitrary files and directories on the server. The vulnerability affects default configurations of goshs, requiring no authentication or specific flags to be set.

Attack Chain

1. The attacker identifies a goshs instance running a vulnerable version (prior to 1.1.5-0.20260401172448-237f3af891a9).
2. The attacker crafts a GET request to a file path containing double-encoded path traversal sequences (%252e%252e) to bypass the path traversal check in deleteFile().
3. The GET request includes the ?delete parameter to trigger the file deletion logic.
4. The deleteFile() function receives the request and decodes the path, but the missing return after the path traversal check allows the execution to continue.
5. The os.RemoveAll() function is called with the manipulated path, leading to the deletion of arbitrary files or directories outside the intended webroot.
6. The server responds with HTTP status code 200, even if the file deletion was successful or resulted in an error.
7. The attacker verifies the deletion of the targeted file/directory.

Impact

Successful exploitation of this path traversal vulnerability allows an unauthenticated attacker to delete any file or directory accessible to the goshs process. This could lead to data loss, system instability, or complete compromise of the server if critical system files are deleted. While the exact number of vulnerable instances is unknown, any organization using goshs versions prior to 1.1.5-0.20260401172448-237f3af891a9 is at risk.

Recommendation

• Upgrade to goshs version 1.1.5-0.20260401172448-237f3af891a9 or later to patch CVE-2026-35471.
• Deploy the Sigma rule “Detect goshs Path Traversal Attempt via URL Encoding” to identify ongoing exploitation attempts based on double-encoded path traversal sequences in HTTP requests.
• Monitor web server logs for GET requests containing double-encoded “..” sequences and the “?delete” parameter, indicative of exploitation attempts.

]]>criticaladvisorypath-traversalfile-deletiongoshshttps://feed.craftedsignal.io/briefs/2024-01-02-goshs-auth-bypass/Wed, 01 Apr 2026 20:58:48 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-goshs-auth-bypass/Goshs is vulnerable to an authentication bypass via share tokens, allowing attackers to bypass authentication checks by using a valid share token in conjunction with other functionalities like WebSocket connections to gain unauthorized access and execute arbitrary commands on the server.Goshs versions 1.1.0 and later are susceptible to an authentication bypass vulnerability (CVE-2026-34581) when using share tokens. The vulnerability resides in the BasicAuthMiddleware which prioritizes token validation over credential checks. This allows an attacker with a valid share token to bypass all authentication and access restricted functionalities such as directory listing, file deletion, clipboard access, WebSocket connections, and CLI command execution. A patch is available in version v2.0.0-beta.2. This vulnerability affects systems using goshs where authentication is enabled alongside the share token feature, potentially leading to unauthorized access and command execution.

Attack Chain

1. A legitimate user creates a share token for a specific file using the goshs web interface or API.
2. The attacker obtains a valid share token, either through social engineering or other means.
3. The attacker crafts a malicious request to the goshs server, including the valid share token as a query parameter (e.g., ?token=).
4. The BasicAuthMiddleware in goshs checks for the token parameter first and, upon finding a valid token, bypasses subsequent authentication checks.
5. The attacker includes a ws parameter in the same request (e.g., ?ws&token=), enabling a WebSocket connection.
6. Using the established WebSocket connection, the attacker sends commands to the server by sending a JSON payload with {"type":"command","Content":"command_to_execute"}.
7. The server executes the attacker-supplied command, such as id or cat /etc/passwd.
8. The attacker receives the output of the executed command via the WebSocket connection, effectively achieving remote code execution.

Impact

Successful exploitation of this vulnerability (CVE-2026-34581) allows an attacker to bypass authentication, gain unauthorized access to the goshs server, and execute arbitrary commands. This can lead to complete system compromise, data exfiltration, and denial-of-service. Since the vulnerability exists in a widely used web file server, a successful attack could impact numerous organizations using goshs.

Recommendation

• Upgrade to goshs version v2.0.0-beta.2 or later to patch CVE-2026-34581, as the vulnerability is fixed in that version (https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2).
• Monitor web server logs for requests containing both token and ws parameters in the query string, which may indicate an attempt to exploit this vulnerability (see the detection rule below).
• Implement network monitoring to detect unusual WebSocket connections originating from or destined to the goshs server (see the detection rule below).

]]>highadvisoryauthentication-bypasscode-executiongoshs