{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40903", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.767Z", "datePublished": "2026-04-21T19:43:36.037Z", "dateUpdated": "2026-04-22T13:45:41.782Z"}, "containers": {"cna": {"title": "Goshs - ArtiPACKED Vulnerability \u2013 GitHub Actions Credential Persistence", "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "lang": "en", "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-hpxj-9fgp-fhhf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-hpxj-9fgp-fhhf"}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"version": "< 2.0.0-beta.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:43:36.037Z"}, "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6."}], "source": {"advisory": "GHSA-hpxj-9fgp-fhhf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:45:25.559292Z", "id": "CVE-2026-40903", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:45:41.782Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40903", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T13:45:25.559292Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:45:38.058Z"}}], "cna": {"title": "Goshs - ArtiPACKED Vulnerability \u2013 GitHub Actions Credential Persistence", "source": {"advisory": "GHSA-hpxj-9fgp-fhhf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"status": "affected", "version": "< 2.0.0-beta.6"}]}], "references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-hpxj-9fgp-fhhf", "name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-hpxj-9fgp-fhhf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:43:36.037Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40903", "state": "PUBLISHED", "dateUpdated": "2026-04-22T13:45:41.782Z", "dateReserved": "2026-04-15T16:37:22.767Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:43:36.037Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6."}], "id": "CVE-2026-40903", "lastModified": "2026-04-21T20:17:02.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:02.947", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-hpxj-9fgp-fhhf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0-beta.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "goshs", "source": "cna", "vendor": "patrickhener"}, "product": "goshs", "vendor": "patrickhener"}], "analysis": {"en": {"generated_at": "2026-04-22T05:26:22.879553+00:00", "value": {"mitigation_remediation": ["Upgrade goshs to version 2.0.0\u2011beta.6 or later.", "Modify GitHub Actions workflows so that artifacts do not contain the GITHUB_TOKEN, or set artifact retention to the minimum required and delete them immediately after use.", "Revoke any GitHub tokens that may have been exposed through this vulnerability and generate new personal access tokens for the affected repositories.", "Monitor GitHub audit logs for suspicious token usage and review workflow executions for content that includes credential tokens."], "summary": {"action": "Apply Patch", "impact": "Credential Leakage"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the SimpleHTTPServer package maintained by Patrick Hener, impacting all releases prior to 2.0.0\u2011beta.6. Administrators who run goshs in CI/CD contexts or expose the server to untrusted inputs should note that unpatched instances are vulnerable to credential leakage via GitHub Actions artifacts.", "description_and_impact": "goshs, a lightweight HTTP server written in Go, contains an ArtiPACKED vulnerability in releases before 2.0.0\u2011beta.6 that can cause the server to embed the environment variable GITHUB_TOKEN into data written to workflow artifacts. If a malicious or compromised GitHub Actions workflow triggers artifact creation, the token can be downloaded by the attacker, granting authenticated access to the repository and related services. The CVSS score of 9.1 reflects a high likelihood of serious impact because the exposed credential can be used for extensive malicious actions. The likely attack vector is a workflow that writes the token to an artifact, even though the token is not present in the repository source code.", "risk_and_exploitability": "The CVSS base score of 9.1 indicates high severity, and although the EPSS score is not available, the vulnerability is not yet listed in the CISA KEV catalog. However, the flaw is trivial to exploit when a workflow generates artifacts, and a compromised GITHUB_TOKEN can enable a wide range of malicious actions. Given its high score and potential impact, this threat should be treated with urgency. The absence of an EPSS score does not reduce the likelihood that an attacker could abuse the flaw in environments where workflow artifact uploads are automated."}}}}, "created": "2026-04-22T05:30:09.558278+00:00", "updated": "2026-04-22T11:45:22.604875+00:00", "vendors": ["patrickhener", "patrickhener$PRODUCT$goshs"]}