Home / Vulnerability Intelligence / CVE-2026-35392

CVE-2026-35392 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 7, 2026

goshs - Path Traversal

Published: April 6, 2026Updated: April 7, 2026Remote Exploitable

Overview

goshs < 2.0.0-beta.3 contains a path traversal caused by lack of path sanitization in PUT upload in httpserver/updown.go, letting attackers upload files to arbitrary paths, exploit requires no special privileges.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 6.9%(Probability of exploitation in next 30 days)

Impact

Attackers can upload files to arbitrary paths, potentially leading to remote code execution or system compromise.

Mitigation

Upgrade to version 2.0.0-beta.3 or later.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Apr 7, 2026

🔴 CVE-2026-35392 - Critical (9.8) goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-35392/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

OffSequence

@offseq

Apr 7, 2026

🚨 CVE-2026-35392: goshs < 2.0.0-beta.3 has a CRITICAL path traversal flaw (CVSS 9.8). Remote attackers can write files anywhere on the server. Upgrade to 2.0.0-beta.3+ ASAP! https://radar.offseq.com/threat/cve-2026-35392-cwe-22-improper-limitation-of-a-pat-4b67dff2 #OffSeq #Infosec #GoLang #Vulnerability

View original post

Related Resources

Details

CVE ID: CVE-2026-35392
Severity: Critical
CVSS Score: 9.8
Type: path_traversal
Status: unconfirmed
EPSS: 6.9%
Social Posts: 2

CWE

CWE-22

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

6.9%Probability of exploitation in the next 30 days