File Download Bypass in goshs SimpleHTTPServer by Patrick Hener
CVE-2026-34581

8.1HIGH

Key Information:

Vendor

Patrickhener

Status
Goshs
Vendor
CVE Published:
2 April 2026

What is CVE-2026-34581?

The goshs SimpleHTTPServer, developed by Patrick Hener, is susceptible to a file download bypass vulnerability that affects versions 1.1.0 through just prior to 2.0.0-beta.2. This flaw occurs when utilizing the Share Token feature, which allows malicious users to circumvent restrictions on file downloads. Exploiting this vulnerability may enable unauthorized access to all goshs functionalities, including the execution of arbitrary code. This issue has been mitigated in version 2.0.0-beta.2.

Affected Version(s)

goshs >= 1.1.0, < 2.0.0-beta.2

References

https://github.com/patrickhener/goshs/security/advisories...
x_refsource_CONFIRM
https://github.com/patrickhener/goshs/commit/6fb224ed15c2...
x_refsource_MISC
https://github.com/patrickhener/goshs/releases/tag/v2.0.0...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.