What is CVE-2025-46816?

CVE-2025-46816 is a critical-severity vulnerability in Patrickhener Goshs, classified under Improper Access Control. CVSS score: 9.4/10. Published 2025-05-06.

How severe is CVE-2025-46816?

Critical severity. CVSS v3 base score is 9.4 out of 10.

Is CVE-2025-46816 known to be exploited?

5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Patrickhener Goshs

CVE-2025-46816

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not check…

EPSS: 0.002 (36.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.4 (Critical). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L.

Affected products

Patrickhener Goshs — versions >= 0.3.4, < 1.0.5

Weakness classification (CWE)

Public proof-of-concept exploits

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm (x_refsource_CONFIRM)
https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-46816?: CVE-2025-46816 is a critical-severity vulnerability in Patrickhener Goshs, classified under Improper Access Control. CVSS score: 9.4/10. Published 2025-05-06.
How severe is CVE-2025-46816?: Critical severity. CVSS v3 base score is 9.4 out of 10.
Is CVE-2025-46816 known to be exploited?: 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.