Package impact

Go / github.com/patrickhener/goshs

CVE	Severity	CVSS	Risk	Published	Description
CVE-2026-42091	medium	6.5	6.5	1mo ago	goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS
CVE-2026-40884	unknown	—	—	2mo ago	goshs has an empty-username SFTP password authentication bypass
CVE-2026-40876	unknown	—	—	2mo ago	SFTP root escape via prefix-based path validation in goshs
CVE-2026-40189	unknown	—	—	2mo ago	goshs has a file-based ACL authorization bypass in goshs state-changing routes
CVE-2026-40188	unknown	—	—	2mo ago	goshs is Missing Write Protection for Parametric Data Values in github.com/patrickhener/goshs
CVE-2026-35471	unknown	—	—	2mo ago	goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
CVE-2026-35393	unknown	—	—	2mo ago	goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
CVE-2026-35392	unknown	—	—	2mo ago	goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
CVE-2026-34581	unknown	—	—	2mo ago	goshs has Auth Bypass via Share Token
CVE-2025-46816	unknown	—	—	1y ago	goshs route not protected, allows command execution in github.com/patrickhener/goshs