Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable web upload (AV:N), trivial crafted file (AC:L), requires authenticated User role (PR:L), no interaction, availability-only impact via OOM (A:H).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes Office documents as ZIP archives and calls ioutil.ReadAll() on each contained file entry without enforcing size restrictions on uncompressed content, allowing a zip bomb payload to expand to several gigabytes in memory and cause the process to be terminated by the operating system.
Articles & Coverage 1
AnalysisAI
Memory exhaustion denial of service in Gophish through 0.12.1 allows authenticated low-privilege users to crash the phishing-campaign server by uploading a zip-bomb Office document as an email template attachment. Publicly available exploit code exists, demonstrating that any account with the User role can trigger an OOM kill of the Gophish process and disrupt ongoing campaigns. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid Gophish account holding at least the User role (PR:L) and network reachability to the Gophish web UI; the attacker must invoke the email-template attachment upload feature with a crafted Office document (DOCX/XLSX/PPTX) that contains a zip-bomb payload exercising ApplyTemplate() in models/attachment.go. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 of 7.1 (AV:N/AC:L/PR:L/UI:N/VA:H) accurately reflects a network-reachable, low-complexity, single-impact (availability only) flaw requiring an authenticated User-role account; confidentiality and integrity are unaffected. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a legitimate low-privilege Gophish User account - for example, a red-team customer on a shared phishing-as-a-service tenant or a disgruntled internal user of a corporate awareness platform - generates a small DOCX whose internal ZIP structure decompresses to several gigabytes. They upload it as an email template attachment, triggering ApplyTemplate() to call ioutil.ReadAll() on the bomb, the process balloons past available RAM, and the OS OOM-killer terminates Gophish, knocking out every concurrent campaign on the instance. … |
| Remediation | No vendor-released patch identified at time of analysis; upstream fix version is not confirmed in the supplied data, so monitor the gophish/gophish GitHub repository and the VulnCheck advisory (https://www.vulncheck.com/advisories/gophish-denial-of-service-via-office-document-upload) for an updated release beyond 0.12.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Gophish instances running v0.12.1 or earlier; restrict file upload capabilities to administrative users only and audit recent upload activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content. Rated high severity (CVSS 7.8),
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived
Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. Rated high severity (CVSS 7.5), this vulnerab
The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via
This affects the package github.com/gophish/gophish before 0.12.0. Rated medium severity (CVSS 5.4), this vulnerability
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page.
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template. Rated m
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form. Rated med
Gophish before 0.11.0 allows SSRF attacks. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable,
Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. Rated medium severity (CVSS 6.1), this vu
Gophish through 0.8.0 allows XSS via a username. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploi
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38351
GHSA-42jc-v69j-g38f