CVE-2026-40883

Name of the Vulnerable Software and Affected Versions goshs versions 2.0.0-beta.4 through 2.0.0-beta.5

Description goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an authenticated browser to trigger destructive actions because the software relies solely on HTTP basic auth and fails to perform CSRF, Origin, or Referer validation for these routes. This allows an attacker-controlled page to trigger filesystem mutations via GET requests, specifically through the ?delete and ?mkdir parameters, which are handled by the deleteFile() and handleMkdir() functions respectively.

Recommendations Update to version 2.0.0-beta.6.