CVE-2026-35471

Name of the Vulnerable Software and Affected Versions goshs (affected versions not specified)

Description A flaw exists in goshs that allows for arbitrary file or directory deletion due to a missing return statement after a path traversal check in the deleteFile() function (httpserver/handler.go:645-671). The vulnerability is triggered by a GET request to an endpoint like '/?delete'. The function detects '..' in the decoded path but proceeds to os.RemoveAll without returning, leading to unauthenticated arbitrary file/directory deletion. The API endpoint ''/?delete'' is vulnerable, with the path parameter being the key factor. The vulnerable function is deleteFile().

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.