Skip to main content

Gophish CVE-2026-39904

| EUVDEUVD-2026-38351 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-22 VulnCheck GHSA-42jc-v69j-g38f
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable web upload (AV:N), trivial crafted file (AC:L), requires authenticated User role (PR:L), no interaction, availability-only impact via OOM (A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 22, 2026 - 21:21 vuln.today
CVE Published
Jun 22, 2026 - 20:11 cve.org
HIGH 7.1

DescriptionCVE.org

Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes Office documents as ZIP archives and calls ioutil.ReadAll() on each contained file entry without enforcing size restrictions on uncompressed content, allowing a zip bomb payload to expand to several gigabytes in memory and cause the process to be terminated by the operating system.

AnalysisAI

Memory exhaustion denial of service in Gophish through 0.12.1 allows authenticated low-privilege users to crash the phishing-campaign server by uploading a zip-bomb Office document as an email template attachment. Publicly available exploit code exists, demonstrating that any account with the User role can trigger an OOM kill of the Gophish process and disrupt ongoing campaigns. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain User-role Gophish credentials
Delivery
Craft Office document containing zip-bomb entry
Exploit
Upload as email template attachment
Execution
ApplyTemplate() ioutil.ReadAll() expands payload in memory
Persist
Process exceeds RAM and is OOM-killed
Impact
Gophish service outage disrupts active campaigns

Vulnerability AssessmentAI

Exploitation Requires a valid Gophish account holding at least the User role (PR:L) and network reachability to the Gophish web UI; the attacker must invoke the email-template attachment upload feature with a crafted Office document (DOCX/XLSX/PPTX) that contains a zip-bomb payload exercising ApplyTemplate() in models/attachment.go. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 of 7.1 (AV:N/AC:L/PR:L/UI:N/VA:H) accurately reflects a network-reachable, low-complexity, single-impact (availability only) flaw requiring an authenticated User-role account; confidentiality and integrity are unaffected. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a legitimate low-privilege Gophish User account - for example, a red-team customer on a shared phishing-as-a-service tenant or a disgruntled internal user of a corporate awareness platform - generates a small DOCX whose internal ZIP structure decompresses to several gigabytes. They upload it as an email template attachment, triggering ApplyTemplate() to call ioutil.ReadAll() on the bomb, the process balloons past available RAM, and the OS OOM-killer terminates Gophish, knocking out every concurrent campaign on the instance. …
Remediation No vendor-released patch identified at time of analysis; upstream fix version is not confirmed in the supplied data, so monitor the gophish/gophish GitHub repository and the VulnCheck advisory (https://www.vulncheck.com/advisories/gophish-denial-of-service-via-office-document-upload) for an updated release beyond 0.12.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Gophish instances running v0.12.1 or earlier; restrict file upload capabilities to administrative users only and audit recent upload activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-24707 HIGH POC
7.8 Oct 28

Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content. Rated high severity (CVSS 7.8),

CVE-2025-70963 HIGH POC
7.6 Feb 06

Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived

CVE-2020-24713 HIGH POC
7.5 Oct 28

Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. Rated high severity (CVSS 7.5), this vulnerab

CVE-2020-24711 MEDIUM POC
6.5 Oct 28

The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via

CVE-2022-25295 MEDIUM POC
5.4 Sep 11

This affects the package github.com/gophish/gophish before 0.12.0. Rated medium severity (CVSS 5.4), this vulnerability

CVE-2020-24712 MEDIUM POC
5.4 Oct 28

Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page.

CVE-2020-24709 MEDIUM POC
5.4 Oct 28

Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template. Rated m

CVE-2020-24708 MEDIUM POC
5.4 Oct 28

Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form. Rated med

CVE-2020-24710 MEDIUM POC
5.3 Oct 28

Gophish before 0.11.0 allows SSRF attacks. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable,

CVE-2024-2211 MEDIUM
6.1 Mar 06

Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. Rated medium severity (CVSS 6.1), this vu

CVE-2019-16146 MEDIUM
4.8 Sep 09

Gophish through 0.8.0 allows XSS via a username. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploi

Share

CVE-2026-39904 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy