CVE-2026-40883
Published: 21 April 2026
Summary
CVE-2026-40883 is a high-severity CSRF (CWE-352) vulnerability in Goshs Goshs. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of information inputs to state-changing HTTP GET routes, enabling enforcement of CSRF tokens, Origin, or Referer checks to block forged requests exploiting basic auth.
Protects communications session authenticity against cross-site forgery by ensuring only legitimate session-bound requests trigger destructive actions like delete or mkdir.
Requires re-authentication for sensitive destructive actions such as file deletion or directory creation, preventing CSRF exploitation via already-authenticated browsers lacking fresh credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln in public-facing goshs HTTP server directly enables exploitation of the app (T1190) to perform destructive file deletion and directory operations (T1485).
NVD Description
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete…
more
and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. This vulnerability is fixed in 2.0.0-beta.6.
Deeper analysisAI
CVE-2026-40883 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting goshs, a SimpleHTTPServer implemented in Go. The issue impacts versions from 2.0.0-beta.4 to 2.0.0-beta.5, where state-changing HTTP GET routes lack CSRF, Origin, or Referer validation and rely solely on HTTP basic authentication.
An external attacker can exploit this vulnerability by tricking an already authenticated user's browser into issuing destructive requests, such as ?delete for file deletion or ?mkdir for directory creation. The CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) reflects network accessibility, low attack complexity, no required privileges, user interaction dependency, and high impacts on integrity and availability with no confidentiality loss.
The vulnerability is addressed in goshs version 2.0.0-beta.6. The GitHub Security Advisory (GHSA-jrq5-hg6x-j6g3) provides full details on the fix and recommends upgrading to the patched release.
Details
- CWE(s)