goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited se…

CVE-2026-34581 affects goshs, a SimpleHTTPServer written in Go, from version 1.1.0 to before version 2.0.0-beta.2. The vulnerability allows attackers to bypass Share Token authentication and access limited file downloads with full goshs functionality, including code execution capabilities. This authentication bypass represents a significant security risk as it can lead to unauthorized file access and remote code execution. The issue has been addressed in version 2.0.0-beta.2 with appropriate patches. Organizations using affected versions should upgrade immediately to mitigate the risk.