Skip to main content

Gonic

3 CVEs product

Monthly

CVE-2026-49340 Go HIGH POC PATCH GHSA This Week

Arbitrary file write in gonic music streaming server prior to v0.21.0 allows any authenticated Subsonic user - including non-admin accounts - to write attacker-controlled M3U playlist content to any absolute filesystem path on the host, while also creating intermediate directories with world-writable 0o777 permissions. The flaw stems from an unreachable guard clause in ServeCreateOrUpdatePlaylist combined with missing path containment in Store.Write. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-4gxv-p5g5-j7w7 documents the issue and a fix is available.

Path Traversal Gonic
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-49338 Go HIGH POC PATCH GHSA This Week

Broken authorization in gonic music streaming server prior to version 0.21.0 allows any authenticated user to delete or read other users' playlists via the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view. Because playlist IDs are base64url-encoded paths containing a small integer user ID and a guessable filename, low-privileged users can enumerate IDs to wipe an administrator's curated playlists or exfiltrate the contents of any private playlist. No public exploit identified at time of analysis, and the issue is patched in commit 6dd71e6 included in version 0.21.0.

Authentication Bypass Gonic
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-49339 Go HIGH POC PATCH GHSA This Week

Authenticated path traversal in gonic music streaming server allows any Subsonic user to read or delete other users' playlists and probe arbitrary host file paths by smuggling `..` segments into the playlist `id` parameter. The flaw bypasses the ownership check introduced in commit 6dd71e6, which derived `playlist.UserID` from the first path segment of the attacker-controlled ID without containing the resolved file path. No public exploit identified at time of analysis, but a proof-of-concept test case is embedded in the upstream patch.

Path Traversal Gonic
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.3%
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Arbitrary file write in gonic music streaming server prior to v0.21.0 allows any authenticated Subsonic user - including non-admin accounts - to write attacker-controlled M3U playlist content to any absolute filesystem path on the host, while also creating intermediate directories with world-writable 0o777 permissions. The flaw stems from an unreachable guard clause in ServeCreateOrUpdatePlaylist combined with missing path containment in Store.Write. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-4gxv-p5g5-j7w7 documents the issue and a fix is available.

Path Traversal Gonic
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Broken authorization in gonic music streaming server prior to version 0.21.0 allows any authenticated user to delete or read other users' playlists via the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view. Because playlist IDs are base64url-encoded paths containing a small integer user ID and a guessable filename, low-privileged users can enumerate IDs to wipe an administrator's curated playlists or exfiltrate the contents of any private playlist. No public exploit identified at time of analysis, and the issue is patched in commit 6dd71e6 included in version 0.21.0.

Authentication Bypass Gonic
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Authenticated path traversal in gonic music streaming server allows any Subsonic user to read or delete other users' playlists and probe arbitrary host file paths by smuggling `..` segments into the playlist `id` parameter. The flaw bypasses the ownership check introduced in commit 6dd71e6, which derived `playlist.UserID` from the first path segment of the attacker-controlled ID without containing the resolved file path. No public exploit identified at time of analysis, but a proof-of-concept test case is embedded in the upstream patch.

Path Traversal Gonic
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy