Cross-Site Request Forgery in goshs HTTP Server by Patrick Hener
CVE-2026-40883

6.1MEDIUM

Key Information:

Vendor: Patrickhener
Status: Goshs
Vendor: CVE Published:; 21 April 2026

🔔 Create Patrickhener Vulnerability Alert

What is CVE-2026-40883?

The goshs HTTP server, from versions 2.0.0-beta.4 to 2.0.0-beta.5, is susceptible to a cross-site request forgery (CSRF) issue that allows external attackers to exploit its state-changing HTTP GET routes. This vulnerability arises due to the server's reliance on HTTP basic authentication without adequate CSRF, Origin, or Referer validation, permitting authenticated browsers to unintentionally execute harmful actions such as deleting files or creating directories. The issue has been remedied in version 2.0.0-beta.6.

Affected Version(s)

goshs >= 2.0.0-beta.4, < 2.0.0-beta.6

References

https://github.com/patrickhener/goshs/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

6.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40883 Data

JSON