CVE-2026-40188

HighPublic PoC

Published: 10 April 2026

Published

10 April 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

EPSS Score 0.0003 8.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40188 is a high-severity Missing Write Protection for Parametric Data Values (CWE-1314) vulnerability in Goshs Goshs. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Ingress Tool Transfer (T1105) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates validation and sanitization of SFTP rename destination paths to block directory traversal sequences like '../' outside the root directory.

SI-2 Flaw Remediation good match

prevent

Requires monitoring for and timely remediation of the specific path sanitization flaw by applying patches to goshs version 2.0.0-beta.4 or later.

AC-3 Access Enforcement partial match

prevent

Enforces approved access authorizations in the SFTP server to restrict file writes to the configured root directory, mitigating unauthorized traversal writes.

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The SFTP rename path traversal allows arbitrary file writes outside the root, directly enabling ingress of tools/files to any system location (T1105) and privilege escalation via overwriting critical files (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This…

vulnerability is fixed in 2.0.0-beta.4.

Deeper analysisAI

CVE-2026-40188 affects goshs, a SimpleHTTPServer written in Go, in versions from 1.0.7 up to but not including 2.0.0-beta.4. The vulnerability lies in the SFTP command's rename functionality, which sanitizes only the source path and neglects the destination path. This flaw, classified under CWE-1314 (Missing Sanitization of Special Element), enables directory traversal by allowing writes outside the configured SFTP root directory. It carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N), indicating high severity due to its network accessibility and integrity impact.

An attacker with low-privilege SFTP access, such as an authenticated user, can exploit this over the network with low complexity and no user interaction required. By crafting a rename operation with a malicious destination path (e.g., using path traversal sequences like "../"), the attacker achieves scope change across the system, enabling arbitrary file writes outside the SFTP root. This could lead to overwriting critical files, escalating privileges, or disrupting services, though it does not directly impact confidentiality or availability.

The vulnerability is addressed in goshs version 2.0.0-beta.4, where the destination path sanitization was properly implemented, as detailed in the project's security advisory (GHSA-2943-crp8-38xx), release notes, and the fixing commit (141c188ce270ffbec087844a50e5e695b7da7744). Security practitioners should upgrade to 2.0.0-beta.4 or later and review SFTP configurations to enforce strict root directory isolation.

Details

CWE(s): CWE-1314

Affected Products

goshs

2.0.0 · 1.0.7 — 2.0.0

CVEs Like This One

CVE-2026-40189Same product: Goshs Goshs

CVE-2026-40876Same product: Goshs Goshs

CVE-2026-40883Same product: Goshs Goshs

CVE-2026-40903Same product: Goshs Goshs

CVE-2026-40884Same product: Goshs Goshs

CVE-2026-40885Same product: Goshs Goshs

CVE-2026-34581Same product: Goshs Goshs

References

https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744
Patch · security-advisories@github.com
https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4
Product, Release Notes · security-advisories@github.com
https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0