cvedb.io
CVE-2026-40876
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2026-04-21T20:17:01.263 · Last modified 2026-06-17T10:45:48.520

Summary

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secre

Affected products

goshs — goshs

Does this affect you?

Add your gear to cvedb and we'll alert you only when goshs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.