CVE-2026-49340
8.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Summary
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in ServeCreateOrUpdatePlaylist allows any authenticated Subsonic user (including non-admin) to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with 0o777 permissions. The bug is independent of CVE-2026-49338 and CVE-2026-49339. It is an unreachable guard clause combined with no path containment in Store.Write. Version 0.21.0 patches the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| sentriz | gonic | < 0.21.0 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-697: CWE-697: Incorrect Comparison
- CWE-732: CWE-732: Incorrect Permission Assignment for Critical Resource
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.