{"api_version":"1","generated_at":"2026-04-18T14:45:44+00:00","cve":"CVE-2026-34581","urls":{"html":"https://cve.report/CVE-2026-34581","api":"https://cve.report/api/cve/CVE-2026-34581.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-34581","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-34581"},"summary":{"title":"goshs has Auth Bypass via Share Token","description":"goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-04-02 19:21:32","updated_at":"2026-04-03 16:10:23"},"problem_types":["CWE-288","CWE-288 CWE-288: Authentication Bypass Using an Alternate Path or Channel"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"8.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216","name":"https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g","name":"https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2","name":"https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-34581","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34581","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"patrickhener","product":"goshs","version":"affected >= 1.1.0, < 2.0.0-beta.2","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"34581","cve":"CVE-2026-34581","epss":"0.000280000","percentile":"0.080240000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:39"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"goshs","vendor":"patrickhener","versions":[{"status":"affected","version":">= 1.1.0, < 2.0.0-beta.2"}]}],"descriptions":[{"lang":"en","value":"goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-288","description":"CWE-288: Authentication Bypass Using an Alternate Path or Channel","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-02T18:04:35.217Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g","tags":["x_refsource_CONFIRM"],"url":"https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g"},{"name":"https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216","tags":["x_refsource_MISC"],"url":"https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216"},{"name":"https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2","tags":["x_refsource_MISC"],"url":"https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2"}],"source":{"advisory":"GHSA-jgfx-74g2-9r6g","discovery":"UNKNOWN"},"title":"goshs has Auth Bypass via Share Token"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-34581","datePublished":"2026-04-02T18:04:35.217Z","dateReserved":"2026-03-30T16:56:30.999Z","dateUpdated":"2026-04-02T18:04:35.217Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-02 19:21:32","lastModifiedDate":"2026-04-03 16:10:23","problem_types":["CWE-288","CWE-288 CWE-288: Authentication Bypass Using an Alternate Path or Channel"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"34581","Ordinal":"1","Title":"goshs has Auth Bypass via Share Token","CVE":"CVE-2026-34581","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"34581","Ordinal":"1","NoteData":"goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.","Type":"Description","Title":"goshs has Auth Bypass via Share Token"}]}}}