Embedthis Embedthis

  1. Vendors
  2. Embedthis

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Embedthis product.

RSS Feeds for Embedthis security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Embedthis products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Embedthis Sorted by Most Security Vulnerabilities since 2018

Embedthis Goahead13 vulnerabilities

Embedthis Appweb5 vulnerabilities

Known Exploited Embedthis Vulnerabilities

The following Embedthis vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Embedthis GoAhead Remote Code Execution Vulnerability Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
CVE-2017-17562 Exploit Probability: 94.3% 		December 10, 2021

The vulnerability CVE-2017-17562: Embedthis GoAhead Remote Code Execution Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 0 vulnerabilities in Embedthis. Last year, in 2025 Embedthis had 1 security vulnerability published. Right now, Embedthis is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 1 0.00
2024 0 0.00
2023 0 0.00
2022 2 9.80
2021 1 9.80
2020 2 8.15
2019 5 8.63
2018 3 8.10

It may take a day or so for new Embedthis vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Embedthis Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2023-53155 Jul 25, 2025
EmbedThis GoAhead 2.5 goform/formTest XSS via name parameter goform/formTest in EmbedThis GoAhead 2.5 allows HTML injection via the name parameter.
Goahead
CVE-2021-41615 Aug 08, 2022
Nonce Entropy Weakness in GoAhead WebServer 2.1.8 (websda.c) websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy because the nonce calculation relies on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP Digest Access Authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1). NOTE: 2.1.8 is a version from 2003; however, the affected websda.c code appears in multiple derivative works that may be used in 2021. Recent GoAhead software is unaffected.
Goahead
CVE-2021-43298 Jan 25, 2022
The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that an unauthenticated network attacker can brute-force the HTTP basic password, byte-by-byte, by recording the webserver's response time until the unauthorized (401) response.
Goahead
CVE-2021-42342 Oct 14, 2021
An issue was discovered in GoAhead 4.x and 5.x before 5.1.5 An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the file upload filter, user form variables can be passed to CGI scripts without being prefixed with the CGI prefix. This permits tunneling untrusted environment variables into vulnerable CGI scripts.
Goahead
CVE-2020-15688 Jul 23, 2020
The HTTP Digest Authentication in the GoAhead web server before 5.1.2 does not completely protect against replay attacks The HTTP Digest Authentication in the GoAhead web server before 5.1.2 does not completely protect against replay attacks. This allows an unauthenticated remote attacker to bypass authentication via capture-replay if TLS is not used to protect the underlying communication channel.
Goahead
CVE-2020-15689 Jul 13, 2020
Appweb before 7.2.2 and 8.x before 8.1.0, when built with CGI support, mishandles an HTTP request with a Range header Appweb before 7.2.2 and 8.x before 8.1.0, when built with CGI support, mishandles an HTTP request with a Range header that lacks an exact range. This may result in a NULL pointer dereference and cause a denial of service.
Appweb
CVE-2019-5096 Dec 03, 2019
An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application in versions v5.0.1 An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures that could lead to full code execution. The request can be unauthenticated in the form of GET or POST requests, and does not require the requested resource to exist on the server.
Goahead
CVE-2019-5097 Dec 03, 2019
A denial-of-service vulnerability exists in the processing of multi-part/form-data requests in the base GoAhead web server application in versions v5.0.1 A denial-of-service vulnerability exists in the processing of multi-part/form-data requests in the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POST requests and does not require the requested resource to exist on the server.
Goahead
CVE-2019-19240 Nov 22, 2019
Embedthis GoAhead before 5.0.1 mishandles redirected HTTP requests with a large Host header Embedthis GoAhead before 5.0.1 mishandles redirected HTTP requests with a large Host header. The GoAhead WebsRedirect uses a static host buffer that has a limited length and can overflow. This can cause a copy of the Host header to fail, leaving that buffer uninitialized, which may leak uninitialized data in a response.
Goahead
CVE-2019-16645 Sep 20, 2019
An issue was discovered in Embedthis GoAhead 2.5.0 An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack.
Goahead
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.