CVE Catalog

CVE-2026-49340

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

In gonic, a music streaming server, prior to version 0.21.0, there is a logic error in the `ServeCreateOrUpdatePlaylist` function that allows any authenticated Subsonic user (including non-admins) to write M3U playlist content to an attacker-controlled absolute filesystem path on the gonic host.

Risk Assessment

An attacker could exploit this vulnerability to write unauthorized files to the filesystem, potentially leading to further attacks or data integrity breaches.

Recommendation

It is recommended to upgrade to version 0.21.0 or later to mitigate this vulnerability and review filesystem permissions on the gonic host.

Original NVD description (English source)

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdatePlaylist` allows any authenticated Subsonic user (including non-admin) to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with `0o777` permissions. The bug is independent of CVE-2026-49338 and CVE-2026-49339. It is an unreachable guard clause combined with no path containment in `Store.Write`. Version 0.21.0 patches the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS