CVE-2026-35392

Name of the Vulnerable Software and Affected Versions goshs (affected versions not specified)

Description goshs is susceptible to a critical path traversal flaw in the PUT upload functionality. The PUT upload process lacks proper path sanitization, allowing attackers to write arbitrary files to the system. The vulnerability resides in the httpserver/updown.go file, specifically lines 20-69, where the req.URL.Path is used directly to construct the save path without any validation or sanitization. This allows for the creation of files outside the intended webroot, potentially leading to system compromise. The API endpoint ''/'' is vulnerable, utilizing the PUT method. The vulnerable parameter is req.URL.Path. A proof-of-concept (PoC) demonstrates the ability to overwrite files on the system using URL-encoded '..' sequences to traverse the file system.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.