CVE-2026-42091

Name of the Vulnerable Software and Affected Versions goshs versions prior to 2.0.2

Description The PUT upload handler in httpserver/updown.go lacks Cross-Site Request Forgery (CSRF) token validation. CSRF is a type of attack that tricks a victim into submitting a malicious request. This deficiency, combined with the unconditional Access-Control-Allow-Origin: * header on the OPTIONS preflight handler in httpserver/server.go, allows any website to write arbitrary files to a goshs instance via a victim's browser, effectively bypassing network isolation such as localhost or internal networks.

Recommendations Update to version 2.0.2.