CVE-2026-35471: goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

April 3, 2026 (updated April 7, 2026)

deleteFile() missing return after path traversal check | httpserver/handler.go:645-671

The finding affects the default configuration, no flags or authentication required.

References

github.com/advisories/GHSA-6qcc-6q27-whp8
github.com/patrickhener/goshs
github.com/patrickhener/goshs/commit/237f3af891a90df9b903b85f1cd3438040ca261a
github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8
nvd.nist.gov/vuln/detail/CVE-2026-35471

Code Behaviors & Features

Detect and mitigate CVE-2026-35471 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →