{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40883", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.719Z", "datePublished": "2026-04-21T19:35:37.652Z", "dateUpdated": "2026-04-21T20:36:13.233Z"}, "containers": {"cna": {"title": "goshs: CSRF in state-changing GET routes enables authenticated file deletion and directory creation", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jrq5-hg6x-j6g3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jrq5-hg6x-j6g3"}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"version": ">= 2.0.0-beta.4, < 2.0.0-beta.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:35:37.652Z"}, "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. This vulnerability is fixed in 2.0.0-beta.6."}], "source": {"advisory": "GHSA-jrq5-hg6x-j6g3", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jrq5-hg6x-j6g3", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:16:59.493724Z", "id": "CVE-2026-40883", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:36:13.233Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40883", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T20:16:59.493724Z"}}}], "references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jrq5-hg6x-j6g3", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:17:09.423Z"}}], "cna": {"title": "goshs: CSRF in state-changing GET routes enables authenticated file deletion and directory creation", "source": {"advisory": "GHSA-jrq5-hg6x-j6g3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"status": "affected", "version": ">= 2.0.0-beta.4, < 2.0.0-beta.6"}]}], "references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jrq5-hg6x-j6g3", "name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jrq5-hg6x-j6g3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. This vulnerability is fixed in 2.0.0-beta.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:35:37.652Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40883", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:36:13.233Z", "dateReserved": "2026-04-15T15:57:41.719Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:35:37.652Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. This vulnerability is fixed in 2.0.0-beta.6."}], "id": "CVE-2026-40883", "lastModified": "2026-04-21T21:16:43.753", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:01.983", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jrq5-hg6x-j6g3"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jrq5-hg6x-j6g3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T05:27:35.959560+00:00", "value": {"mitigation_remediation": ["Upgrade goshs to version 2.0.0\u2011beta.6 or later, which contains the official patch.", "If an upgrade cannot be performed immediately, remove or disable the state\u2011changing ?delete and ?mkdir parameters from the server configuration or restrict access to those endpoints to trusted networks only.", "Implement additional CSRF defenses such as checking Origin or Referer headers for state\u2011changing requests, or requiring a CSRF token in POST requests if you maintain the source code."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery enabling authenticated file deletion and directory creation"}, "threat_synthesis": {"affected_systems": "The offender is the open\u2011source web server goshs, maintained by patrickhener. Versions from 2.0.0\u2011beta.4 through 2.0.0\u2011beta.5 are affected. The issue was corrected in version 2.0.0\u2011beta.6 and later releases.", "description_and_impact": "goshs contains a CSRF flaw in its state\u2011changing HTTP GET routes that allows an attacker to prompt an authenticated browser to perform destructive actions such as deleting files or creating directories. The server trusts only HTTP Basic authentication and performs no CSRF, Origin or Referer validation for these routes, so a malicious link or embedded image can trigger the operations. The primary impact is loss of data and configuration changes conducted with the privileges of the authenticated actor.", "risk_and_exploitability": "The CVSS score of 6.1 classifies the vulnerability as moderate severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, indicating no known active exploitation reports. Exploit requires a victim to be authenticated to the server; an attacker can craft a link containing the ?delete or ?mkdir parameters and lure the victim into clicking it, which would trigger the destructive action without additional credentials. This makes the vulnerability potentially valuable for insiders or attackers who have already compromised a user\u2019s session or device."}}}}, "created": "2026-04-22T05:30:09.559190+00:00", "updated": "2026-04-22T05:30:09.559211+00:00", "vendors": []}