Information disclosure in Patrickhener Goshs

CVE-2026-40885

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected f…

Vulnerability class: Information Disclosure

EPSS: 0.001 (26.4th percentile) — read the EPSS interpretation.

Affected products

Patrickhener Goshs — versions >= 2.0.0-beta.4, < 2.0.0-beta.6

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp (x_refsource_CONFIRM)