ArtiPACKED Vulnerability in goshs SimpleHTTPServer by patrickhener
CVE-2026-40903

9.1CRITICAL

Key Information:

Vendor: Patrickhener
Status: Goshs
Vendor: CVE Published:; 21 April 2026

🔔 Create Patrickhener Vulnerability Alert

What is CVE-2026-40903?

The goshs SimpleHTTPServer, developed by patrickhener, contains an ArtiPACKED vulnerability that can inadvertently expose the GITHUB_TOKEN through workflow artifacts. This occurs even when the token is not included in the repository's source code, posing significant security risks to developers and projects utilizing this server. The issue has been addressed in version 2.0.0-beta.6, making it imperative for users to upgrade to mitigate the risk of unauthorized token access.

Affected Version(s)

goshs < 2.0.0-beta.6

References

https://github.com/patrickhener/goshs/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40903 Data

JSON