CVE-2026-42091: goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS
(updated )
The PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the GHSA-jrq5-hg6x-j6g3 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim’s browser — bypassing network isolation (e.g. localhost, internal network).
References
- github.com/advisories/GHSA-rhf7-wvw3-vjvm
- github.com/patrickhener/goshs
- github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32
- github.com/patrickhener/goshs/releases/tag/v2.0.2
- github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm
- nvd.nist.gov/vuln/detail/CVE-2026-42091
Code Behaviors & Features
Detect and mitigate CVE-2026-42091 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →