VDB
CVE-2025-46816
CVE-2025-46816
PUBLISHED
CVSS 9.399999618530273 CRITICAL
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.
EPSS 0.16% · 36.4th percentile
Risk Scores
CVSS 3.0
9.399999618530273
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score
0.16%
36.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | patrickhener/goshs | 0.3.4, 0.3.4 |
| patrickhener | goshs | >= 0.3.4, < 1.0.5, >= 0.3.4, < 1.0.5 |
Exploit Intelligence
- POC for exploit of goshs (github-poc)
- POC for exploit of goshs (github-poc)
- POC for exploit of goshs (github-poc)
- POC for exploit of goshs (github-poc)
- POC for exploit of goshs (github-poc)
- POC for exploit of goshs (github-poc)
- POC for exploit of goshs (github-poc)
- POC for exploit of goshs (github-poc)
- POC for exploit of goshs (github-poc)
- CIRCL published-proof-of-concept: CVE-2025-46816 (circl-sighting)
…and 4 more exploits
Timeline
- Jan 21, 1970 Security Advisory
- May 6, 2025 CVE Published
- May 6, 2025 Coalition ESS Score
- May 6, 2025 PoC Published
- May 6, 2025 PoC Published
- May 7, 2025 EPSS Score
- May 7, 2025 Coalition ESS Score
- May 19, 2025 EPSS Score
- May 30, 2025 EPSS Score
- Jun 4, 2025 PoC Published
- Jun 11, 2025 EPSS Score
- Jun 23, 2025 EPSS Score