CVE Catalog

CVE-2026-40903

Critical
Published: Translated: NVD NIST

Summary

goshs is a SimpleHTTPServer written in Go, which prior to version 2.0.0-beta.6 had an ArtiPACKED vulnerability. This vulnerability can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code.

Risk Assessment

Organizations may be exposed to unauthorized access to resources if the GITHUB_TOKEN is leaked, potentially leading to serious security breaches.

Recommendation

It is recommended to update goshs to version 2.0.0-beta.6 or later to mitigate this vulnerability.

Original NVD description (English source)

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS