Cyber Resilience

CVE-2026-40883

MediumPublic PoC

Published: 21 April 2026

Published
21 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 6.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 3.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-40883 is a medium-severity CSRF (CWE-352) vulnerability in Goshs Goshs. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-40883 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting goshs, a SimpleHTTPServer implemented in Go. The issue impacts versions from 2.0.0-beta.4 to 2.0.0-beta.5, where state-changing HTTP GET routes lack CSRF, Origin, or Referer validation and rely solely on HTTP basic authentication.

An external attacker can exploit this vulnerability by tricking an already authenticated user's browser into issuing destructive requests, such as ?delete for file deletion or ?mkdir for directory creation. The CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) reflects network accessibility, low attack complexity, no required privileges, user interaction dependency, and high impacts on integrity and availability with no confidentiality loss.

The vulnerability is addressed in goshs version 2.0.0-beta.6. The GitHub Security Advisory (GHSA-jrq5-hg6x-j6g3) provides full details on the fix and recommends upgrading to the patched release.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete…

more

and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. This vulnerability is fixed in 2.0.0-beta.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

CSRF vuln in public-facing goshs HTTP server directly enables exploitation of the app (T1190) to perform destructive file deletion and directory operations (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40884Same product: Goshs Goshs
CVE-2026-40885Same product: Goshs Goshs
CVE-2026-34581Same product: Goshs Goshs
CVE-2026-40903Same product: Goshs Goshs
CVE-2026-40189Same product: Goshs Goshs
CVE-2026-40876Same product: Goshs Goshs
CVE-2026-40188Same product: Goshs Goshs
CVE-2025-55046Shared CWE-352
CVE-2025-22784Shared CWE-352
CVE-2024-13684Shared CWE-352

Affected Assets

goshs
goshs
2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of information inputs to state-changing HTTP GET routes, enabling enforcement of CSRF tokens, Origin, or Referer checks to block forged requests exploiting basic auth.

prevent

Protects communications session authenticity against cross-site forgery by ensuring only legitimate session-bound requests trigger destructive actions like delete or mkdir.

prevent

Requires re-authentication for sensitive destructive actions such as file deletion or directory creation, preventing CSRF exploitation via already-authenticated browsers lacking fresh credentials.

References