go-bbs v1 exists to contain an arbitrary file download vulnerability via the component /api/v1/download.
71note go-bbs 1.0