{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/goshs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-40884"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SimpleHTTPServer"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","sftp","vulnerability","network"],"_cs_type":"advisory","_cs_vendors":["goshs"],"content_html":"\u003cp\u003eThe goshs SimpleHTTPServer, a utility written in Go, is susceptible to an SFTP authentication bypass vulnerability (CVE-2026-40884) in versions prior to 2.0.0-beta.6. This flaw arises when the server is launched using the \u003ccode\u003e-b ':pass'\u003c/code\u003e argument in conjunction with the \u003ccode\u003e-sftp\u003c/code\u003e flag. This specific configuration prevents the application from properly initializing an SFTP password handler. Consequently, a remote, unauthenticated attacker can establish a connection to the SFTP service and gain unauthorized access to files stored on the server. This vulnerability poses a significant risk to data confidentiality and integrity. Organizations using affected versions of goshs should upgrade to version 2.0.0-beta.6 or later immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable goshs server running a version prior to 2.0.0-beta.6 with SFTP enabled using \u003ccode\u003e-sftp\u003c/code\u003e and the vulnerable authentication configuration \u003ccode\u003e-b ':pass'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker establishes a network connection to the server's SFTP port (typically port 22, or a custom-configured port).\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an SFTP connection without providing any username or password, exploiting the missing password handler.\u003c/li\u003e\n\u003cli\u003eThe vulnerable goshs server accepts the connection without authentication due to the configuration error.\u003c/li\u003e\n\u003cli\u003eThe attacker is granted access to the file system served by the goshs server via SFTP.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates the file system, identifies sensitive files, and downloads them.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates the stolen data from the network.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised server as a pivot point for further attacks within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40884 allows an unauthenticated attacker to access sensitive files stored on the vulnerable goshs server. The impact can range from information disclosure to complete compromise of the server and potential lateral movement within the network. Given the CVSS v3.1 base score of 9.8, this vulnerability represents a critical risk. The number of affected systems depends on the adoption rate of goshs and the specific configurations used.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade goshs to version 2.0.0-beta.6 or later to patch CVE-2026-40884.\u003c/li\u003e\n\u003cli\u003eReview goshs server configurations and remove the vulnerable \u003ccode\u003e-b ':pass'\u003c/code\u003e configuration.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to SFTP ports (default 22) for suspicious activity originating from unknown sources. Use the \u0026quot;Detect Suspicious SFTP Connection\u0026quot; Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a potential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-24-goshs-auth-bypass/","summary":"goshs SimpleHTTPServer prior to version 2.0.0-beta.6 contains an SFTP authentication bypass vulnerability that allows unauthenticated network attackers to access files when the server is started with specific configuration parameters.","title":"goshs SimpleHTTPServer SFTP Authentication Bypass Vulnerability (CVE-2026-40884)","url":"https://feed.craftedsignal.io/briefs/2024-01-24-goshs-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-40188"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["goshs"],"_cs_severities":["high"],"_cs_tags":["path-traversal","sftp","cve-2026-40188"],"_cs_type":"advisory","_cs_vendors":["goshs"],"content_html":"\u003cp\u003egoshs is a SimpleHTTPServer written in Go. Versions 1.0.7 to before 2.0.0-beta.4 are vulnerable to a path traversal issue (CVE-2026-40188) within the SFTP rename command. This vulnerability arises because the application only sanitizes the source path during a rename operation, neglecting to sanitize the destination path. This oversight allows authenticated attackers with low privileges to manipulate file paths and potentially write files outside the designated SFTP root directory, leading to unauthorized file creation or modification. The vulnerability is resolved in version 2.0.0-beta.4. This vulnerability poses a risk to systems using vulnerable versions of goshs for file sharing.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains low-privilege access to the goshs server via SSH or other means.\u003c/li\u003e\n\u003cli\u003eAttacker establishes an SFTP session with the vulnerable goshs server.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a file or directory within their authorized SFTP root.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an SFTP rename command where the source is a legitimate file within their SFTP root.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the destination path of the rename command to include path traversal sequences (e.g., \u0026quot;../\u0026quot;) to move outside of the intended root directory.\u003c/li\u003e\n\u003cli\u003eThe vulnerable goshs server executes the rename command using the attacker-controlled destination path without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully creates or overwrites files in unauthorized locations on the server's file system.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage the ability to write arbitrary files to achieve persistence by modifying system configuration files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass intended access restrictions and potentially overwrite critical system files, leading to code execution or denial-of-service. The impact is high due to the potential for privilege escalation and system compromise. While the exact number of vulnerable installations is unknown, any organization using goshs versions 1.0.7 to before 2.0.0-beta.4 are potentially at risk. Successful exploitation can lead to unauthorized data modification, or system instability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade goshs to version 2.0.0-beta.4 or later to remediate CVE-2026-40188 as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor SFTP logs for rename operations containing path traversal sequences like \u0026quot;../\u0026quot; in the destination path. (Generic Recommendation)\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on critical system directories to detect unauthorized file modifications resulting from successful exploitation. (Generic Recommendation)\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2026-04-goshs-path-traversal/","summary":"The goshs SimpleHTTPServer, from version 1.0.7 to before 2.0.0-beta.4, is vulnerable to path traversal (CVE-2026-40188) due to insufficient sanitization of the destination path in the SFTP rename command, potentially allowing attackers with low privileges to write files outside the intended root directory.","title":"goshs SimpleHTTPServer SFTP Rename Path Traversal Vulnerability (CVE-2026-40188)","url":"https://feed.craftedsignal.io/briefs/2026-04-goshs-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Goshs","version":"https://jsonfeed.org/version/1.1"}