CVE-2026-40883: CWE-352: Cross-Site Request Forgery (CSRF) in patrickhener goshs
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. This vulnerability is fixed in 2.0.0-beta.6.
AI Analysis
Technical Summary
The goshs SimpleHTTPServer written in Go versions 2.0.0-beta.4 through 2.0.0-beta.5 is vulnerable to CSRF attacks on state-changing HTTP GET endpoints. Because goshs uses only HTTP basic authentication and lacks CSRF, Origin, or Referer validation, an attacker can cause an authenticated browser to execute destructive actions such as ?delete and ?mkdir requests. This vulnerability is addressed in version 2.0.0-beta.6.
Potential Impact
An attacker can exploit this vulnerability to induce an authenticated user’s browser to perform unauthorized destructive actions on the goshs server, such as deleting files or creating directories. This can lead to data loss or unauthorized modification of server state. The CVSS 4.0 score is 6.1 (medium severity), reflecting the network attack vector, low attack complexity, and requirement for user interaction.
Mitigation Recommendations
Upgrade goshs to version 2.0.0-beta.6 or later where this CSRF vulnerability is fixed. Until then, users should avoid using vulnerable versions in environments where untrusted web content can be accessed by authenticated users. No official patch link is provided, but the fix is included in the stated version update.
CVE-2026-40883: CWE-352: Cross-Site Request Forgery (CSRF) in patrickhener goshs
Description
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. This vulnerability is fixed in 2.0.0-beta.6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The goshs SimpleHTTPServer written in Go versions 2.0.0-beta.4 through 2.0.0-beta.5 is vulnerable to CSRF attacks on state-changing HTTP GET endpoints. Because goshs uses only HTTP basic authentication and lacks CSRF, Origin, or Referer validation, an attacker can cause an authenticated browser to execute destructive actions such as ?delete and ?mkdir requests. This vulnerability is addressed in version 2.0.0-beta.6.
Potential Impact
An attacker can exploit this vulnerability to induce an authenticated user’s browser to perform unauthorized destructive actions on the goshs server, such as deleting files or creating directories. This can lead to data loss or unauthorized modification of server state. The CVSS 4.0 score is 6.1 (medium severity), reflecting the network attack vector, low attack complexity, and requirement for user interaction.
Mitigation Recommendations
Upgrade goshs to version 2.0.0-beta.6 or later where this CSRF vulnerability is fixed. Until then, users should avoid using vulnerable versions in environments where untrusted web content can be accessed by authenticated users. No official patch link is provided, but the fix is included in the stated version update.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T15:57:41.719Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7d78519fe3cd2cdf5b31c
Added to database: 4/21/2026, 8:01:09 PM
Last enriched: 4/21/2026, 8:17:13 PM
Last updated: 4/22/2026, 6:07:42 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.