CVE-2026-35393

Name of the Vulnerable Software and Affected Versions: goshs (affected versions not specified)

Description: A path traversal flaw in goshs allows unauthorized file access and manipulation. The issue resides in the POST multipart upload functionality, specifically within the httpserver/updown.go file (lines 71-174). The vulnerability occurs because the target directory is derived from the unsanitized req.URL.Path variable, enabling attackers to traverse the file system using directory traversal sequences like ../... The filename is sanitized, but the path is not, allowing an attacker to write files to arbitrary locations. The API endpoint ''/upload'' is involved, and the filename parameter in the multipart upload is used to control the final filename on disk. This can lead to unauthenticated arbitrary file writes to any existing directory on the filesystem.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.