CSRF Vulnerability in goshs SimpleHTTPServer by Patrick Hener
CVE-2026-42091

6.5MEDIUM

Key Information:

Vendor

Patrickhener

Status
Goshs
Vendor
CVE Published:
4 May 2026

What is CVE-2026-42091?

The goshs SimpleHTTPServer, developed by Patrick Hener, has a vulnerability related to CSRF tokens in its PUT upload handler. Versions prior to 2.0.2 lack proper token validation, allowing unauthorized file uploads from any website. Coupled with a permissive Access-Control-Allow-Origin header on the OPTIONS preflight handler, this flaw exposes goshs to potential exploitation, where files can be written to the server through the victim's browser without appropriate network isolation measures. This issue has been addressed in the release of version 2.0.2.

Affected Version(s)

goshs < 2.0.2

References

https://github.com/patrickhener/goshs/security/advisories...
x_refsource_CONFIRM
https://github.com/patrickhener/goshs/commit/0e715b94e10c...
x_refsource_MISC
https://github.com/patrickhener/goshs/releases/tag/v2.0.2
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.