CVE-2026-49340
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
In gonic, a music streaming server, prior to version 0.21.0, there is a logic error in the `ServeCreateOrUpdatePlaylist` function that allows any authenticated Subsonic user (including non-admins) to write M3U playlist content to an attacker-controlled absolute filesystem path on the gonic host.
Risk Assessment
An attacker could exploit this vulnerability to write unauthorized files to the filesystem, potentially leading to further attacks or data integrity breaches.
Recommendation
It is recommended to upgrade to version 0.21.0 or later to mitigate this vulnerability and review filesystem permissions on the gonic host.
Original NVD description (English source)
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdatePlaylist` allows any authenticated Subsonic user (including non-admin) to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with `0o777` permissions. The bug is independent of CVE-2026-49338 and CVE-2026-49339. It is an unreachable guard clause combined with no path containment in `Store.Write`. Version 0.21.0 patches the issue.

