Is github.com/patrickhener/goshs safe to use?

github.com/patrickhener/goshs has 10 known vulnerabilities on the latest version (v1.1.4). DepScope rates its health at 40/100 (high risk).

What is the latest version of github.com/patrickhener/goshs?

The latest version of github.com/patrickhener/goshs is v1.1.4, released 2026-03-13.

Does github.com/patrickhener/goshs have known vulnerabilities?

Yes. github.com/patrickhener/goshs has 10 known vulnerabilities. See depscope.dev/pkg/go/github.com/patrickhener/goshs for details.

Is github.com/patrickhener/goshs deprecated?

No, github.com/patrickhener/goshs is actively maintained. Latest release: v1.1.4 (2026-03-13).

What are alternatives to github.com/patrickhener/goshs?

DepScope has no curated alternatives for github.com/patrickhener/goshs at this time.

What license does github.com/patrickhener/goshs use?

github.com/patrickhener/goshs is licensed under MIT.

github.com/patrickhener/goshs

govv1.1.4

Feature-rich single-binary file server for red teamers and developers. HTTP/S · WebDAV · SFTP · SMB · NTLM hash capture · DNS/SMTP callbacks · TLS · Auth · Share links. A powerful python3 -m http.server replacement.

License MITpermissive47 versions11 maintainers0 deps615 weekly dl

patrickhener/goshs

/ 100

Health

do not use

github.com/patrickhener/goshs has critical vulnerabilities — do not use

Update to >= 2.0.2 to fix known vulnerabilities

3 high severity vulnerabilities
5 critical vulnerabilities

Health breakdown0 – 100

20/25

maintenance

3/20

popularity

0/25

security

12/15

maturity

5/15

community

Vulnerabilities

5 critical3 high1 medium1 low

Advisories (10)

Severity	ID	Summary	Fixed in
high	CVE-2026-40188	goshs is Missing Write Protection for Parametric Data Values	—
high	CVE-2026-40876	SFTP root escape via prefix-based path validation in goshs	2.0.0
critical	CVE-2026-35471	goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)	1.1.5-0.20260401172448-237f3af891a9
low	GHSA-7qx6-f23w-3w7f	Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint	—
critical	CVE-2026-40884	goshs has an empty-username SFTP password authentication bypass	2.0.0
critical	CVE-2026-35392	goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload	1.1.5-0.20260401172448-237f3af891a9
critical	CVE-2026-35393	goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload	1.1.5-0.20260401172448-237f3af891a9
high	CVE-2026-34581	goshs has Auth Bypass via Share Token	—
medium	GHSA-rhf7-wvw3-vjvm	goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS	2.0.2
critical	CVE-2026-40189	goshs has a file-based ACL authorization bypass in goshs state-changing routes	—

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/go/github.com/patrickhener/goshs

Last updated · 2026-03-13T14:11:55Z