CSRF in Patrickhener Goshs

CVE-2026-40883

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigg…

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.000 (7.2th percentile) — read the EPSS interpretation.

Affected products

Patrickhener Goshs — versions >= 2.0.0-beta.4, < 2.0.0-beta.6

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-jrq5-hg6x-j6g3 (x_refsource_CONFIRM)