CVE-2026-40188: goshs is Missing Write Protection for Parametric Data Values
The SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP.
References
- github.com/advisories/GHSA-2943-crp8-38xx
- github.com/patrickhener/goshs
- github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744
- github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4
- github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx
- nvd.nist.gov/vuln/detail/CVE-2026-40188
Code Behaviors & Features
Detect and mitigate CVE-2026-40188 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →