Vendor
A vulnerability (CVE-2026-50138) in `goshs` versions up to `v2.0.9` allows an authenticated attacker to bypass intended access restriction flags like `--read-only`, `--upload-only`, and `--no-delete` when the WebDAV listener is enabled, leading to unauthorized file creation, modification, deletion, and content exfiltration on the server, compromising data integrity and confidentiality.