Path Traversal in Patrickhener Goshs

CVE-2026-40876

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (18.8th percentile) — read the EPSS interpretation.