CVE-2026-42091— goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| patrickhener | goshs | < 2.0.2 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42091
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS
Source: NVD (National Vulnerability Database)
Vulnerability Description
goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨站请求伪造(CSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
goshs 跨站请求伪造漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
goshs是Patrick Hener个人开发者的一个用Go编写的简单HTTP Server。 goshs 2.0.2之前版本存在跨站请求伪造漏洞,该漏洞源于PUT上传处理程序缺少CSRF令牌验证,结合OPTIONS预检处理程序的无条件跨域资源共享标头,可能导致任意网站通过受害者浏览器写入任意文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| patrickhener | goshs | < 2.0.2 | - |
II. Public POCs for CVE-2026-42091
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42091
请登录查看更多情报信息。
Patch · 2Advisory · 1
- Release v2.0.2 · patrickhener/goshs · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-42091
IV. Related Vulnerabilities
Same product: goshs
- CVE-2026-40903
Goshs - ArtiPACKED Vulnerability – GitHub Actions Credential - CVE-2026-40885
goshs: Public collaborator feed leaks .goshs ACL credentials - CVE-2026-40884
goshs: Empty-username SFTP password authentication bypass in - CVE-2026-40883
goshs: CSRF in state-changing GET routes enables authenticat - CVE-2026-40876
SFTP root escape via prefix-based path validation in goshs
Same vendor: patrickhener
- CVE-2026-40903
Goshs - ArtiPACKED Vulnerability – GitHub Actions Credential - CVE-2026-40885
goshs: Public collaborator feed leaks .goshs ACL credentials - CVE-2026-40884
goshs: Empty-username SFTP password authentication bypass in - CVE-2026-40883
goshs: CSRF in state-changing GET routes enables authenticat - CVE-2026-40876
SFTP root escape via prefix-based path validation in goshs
Same weakness: CWE-352
- CVE-2018-25334
Zechat 1.5 Cross-Site Request Forgery (CSRF) via hashtag par - CVE-2018-25337
Joomla JoomOCShop 1.0 Cross-Site Request Forgery - CVE-2018-25336
Joomla jCart for OpenCart 2.3.0.2 Cross-Site Request Forgery - CVE-2018-25327
Joomla! Component Js Jobs 1.2.0 Cross-Site Request Forgery - CVE-2018-25321
TP-Link TL-WR720N All Versions CSRF via Administrative Inter
V. Comments for CVE-2026-42091
No comments yet