EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the patrickhener/goshs package. The affected versions of the software are all prior to 1.1.5-0.20260401172448-237f3af891a9. These vulnerabilities fall under the categories of path traversal and arbitrary file write, which allow an attacker to perform unauthorized actions on the system. This has significant business risk and impact, as an attacker could potentially write arbitrary files to any location on the filesystem, leading to data loss, unauthorized access, and other security breaches. CVE-2026-35393 with a CVSS score of 9.8 – This vulnerability occurs in the POST multipart upload functionality, where the target directory is not sanitized, allowing an attacker to perform path traversal and write files to any location on the filesystem. An attacker can exploit this vulnerability by sending a crafted POST request with a malicious filename and directory path. This requires no authentication or privileges. CVE-2026-35392 with a CVSS score of 9.8 – This vulnerability occurs in the PUT upload functionality, where the handler uses the raw URL path to build the save path, allowing an attacker to perform path traversal and write files to any location on the filesystem. An attacker can exploit this vulnerability by sending a crafted PUT request with a malicious directory path. This requires no authentication or privileges. The identified vulnerabilities pose a significant risk to the business, as they allow an attacker to perform unauthorized actions on the system. If exploited, these vulnerabilities could result in data loss, unauthorized access, and other security breaches.