goshs, a SimpleHTTPServer written in Go, had a CSRF vulnerability (CWE-352) in its PUT upload handler before version 2.0.2. While the POST upload handler was protected by CSRF token validation after a previous fix (CVE-2026-40883), the PUT handler did not receive the same protection. The server also unconditionally sets Access-Control-Allow-Origin: * on OPTIONS preflight requests, enabling cross-origin requests. This combination allows an attacker-controlled website to cause a victim's browser to upload arbitrary files to the goshs server, potentially bypassing network isolation controls such as localhost or internal network boundaries. The vulnerability is fixed in goshs version 2.0.2.

An attacker can exploit this vulnerability to write arbitrary files to a goshs server instance through a victim's browser, potentially leading to unauthorized file uploads and modification within the server's accessible environment. This could bypass network isolation protections, increasing the risk of unauthorized access or manipulation of internal resources. There is no indication of confidentiality or availability impact, but integrity is affected. No known exploits in the wild have been reported.

This vulnerability is fixed in goshs version 2.0.2. Users should upgrade to version 2.0.2 or later to ensure the PUT upload handler includes CSRF token validation and to prevent arbitrary file uploads via CSRF attacks. Since this is not a cloud service, remediation depends on applying the official patch. Patch status is confirmed by the vendor's versioning information.