CVE-2026-35471

Published April 7, 2026 · Updated April 7, 2026

9.8CVSS

critical

What This Means

CVE-2026-35471 is a critical vulnerability in the goshs SimpleHTTPServer prior to version 2.0.0-beta.3, where the `tdeleteFile()` function lacks a return statement after validating path traversal conditions. This flaw allows attackers to potentially exploit the server to delete arbitrary files, leading to significant system compromise. To mitigate this risk, upgrade to goshs version 2.0.0-beta.3 or later immediately.

Official Description+

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2026-35471.

Related Coverage

Vvulnerability

🚨 Critical Path Traversal Vulnerability in goshs SimpleHTTPServer (CVE-2026-35471)

CVE-2026-35471 is a critical vulnerability in goshs SimpleHTTPServer prior to 2.0.0-beta.3. It allows attackers to delete files due to a missing return statement in path traversal checks. Upgrade to version 2.0.0-beta.3 immediately.

NVD·8h ago·3 min read