[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-40189":6},{"stargazers_count":4,"fetched_at":5},5,"2026-04-11T20:12:46.593Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":24,"aliases":25,"duplicate_of":9,"upstream":27,"downstream":28,"duplicates":29,"related":30,"reserved_at":9,"published_at":31,"modified_at":31,"state":32,"summary":33,"references_raw":42,"kevs":70,"epss":71,"epss_history":74,"metrics":76,"affected":85},"CVE-2026-40189","goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-862","Missing Authorization","The product does not perform an authorization check when an actor attempts to access a resource or perform an action.","weakness","Incomplete","Class","High",[20],{"id":21,"name":22,"techniques":23},"CAPEC-665","Exploitation of Thunderbolt Protection Flaws",[],[],[26],"GHSA-wvhv-qcqf-f3cx",[],[],[],[],"2026-04-10T19:44:54.672Z","Received",{"cisa_kev":34,"cisa_ransomware":34,"cisa_vendor":9,"epss_severity":35,"epss_score":36,"severity":37,"severity_score":38,"severity_version":39,"severity_source":40,"severity_vector":41,"severity_status":32},false,"low",0.00105,"critical",9.3,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",[43,51,56,60,65],{"url":44,"sources":45,"tags":48},"https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx",[40,46,47],"nvd","osv_go",[49,50],"X Refsource CONFIRM","WEB",{"url":52,"sources":53,"tags":54},"https://github.com/patrickhener/goshs/commit/f212c4f4a126556bab008f79758e21a839ef2c0f",[40,46,47],[55,50],"X Refsource MISC",{"url":57,"sources":58,"tags":59},"https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4",[40,46,47],[55,50],{"url":61,"sources":62,"tags":63},"https://github.com/patrickhener/goshs",[47],[64],"PACKAGE",{"url":66,"sources":67,"tags":68},"https://nvd.nist.gov/vuln/detail/CVE-2026-40189",[47],[69],"Advisory",[],{"date":72,"score":36,"percentile":73},"2026-04-11",0.28577,[75],{"date":72,"score":36,"percentile":73},[77,80,83],{"source":40,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":78},{"baseScore":38,"baseSeverity":79,"vectorString":41,"impactScore":9,"exploitabilityScore":9},"CRITICAL",{"source":46,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":81},{"baseScore":38,"baseSeverity":79,"vectorString":82,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",{"source":47,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":84},{"baseScore":38,"baseSeverity":9,"vectorString":41,"impactScore":9,"exploitabilityScore":9},[86,99],{"ecosystem":87,"name":88,"vendor":89,"product":90,"cpe_part":9,"purl_type":91,"purl_namespace":89,"purl_name":90,"source":9,"versions":92},"Go","github.com/patrickhener/goshs","github.com/patrickhener","goshs","golang",[93],{"version":94,"is_range":95,"range_type":96,"version_start":9,"version_start_type":9,"version_end":97,"version_end_type":98,"fixed_in":9},"lte1_1_4",true,"semver","1.1.4","including",{"ecosystem":9,"name":90,"vendor":100,"product":90,"cpe_part":101,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":102},"patrickhener","a",[103],{"version":104,"is_range":95,"range_type":40,"version_start":9,"version_start_type":9,"version_end":105,"version_end_type":106,"fixed_in":9},"\u003C 2.0.0-beta.4","2.0.0-beta.4","excluding"]