{"vulnerability": "cve-2026-49340", "sightings": [{"uuid": "095fedef-4b8e-4e1e-99bf-284a989dc92f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49340", "type": "seen", "source": "https://gist.github.com/alon710/aef49efca881722a2606f374108f34f4", "content": "# CVE-2026-49340: CVE-2026-49340: Arbitrary File Write via Path Traversal in Gonic Subsonic Playlist Handler\n\n> **CVSS Score:** 8.1\n> **Published:** 2026-06-26\n> **Full Report:** https://cvereports.com/reports/CVE-2026-49340\n\n## Summary\nAn arbitrary file write vulnerability exists in Gonic, a music streaming server implementing the Subsonic API. Due to an unreachable guard clause combined with missing path containment validation in the playlist storage engine, authenticated users can write playlist contents to arbitrary filesystem paths with overly permissive directory permissions.\n\n## TL;DR\nA logic error and missing path sanitation in Gonic before v0.21.0 allow authenticated users to execute arbitrary file writes across the host filesystem via crafted playlist names.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-22, CWE-697, CWE-732\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 8.1 (High)\n- **Exploit Status**: poc\n- **Impact**: Arbitrary File Write / Potential Remote Code Execution\n- **Privileges Required**: Low (PR:L)\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Gonic music streaming server instances prior to version 0.21.0\n- **gonic**: < 0.21.0 (Fixed in: `0.21.0`)\n\n## Mitigation\n\n- Upgrade Gonic to version 0.21.0 or higher to apply security fixes for path traversal and validation checks.\n- Run the Gonic service as a non-root, low-privilege system user to restrict filesystem write impact.\n- Utilize Docker containers with restricted container namespaces and non-root execution contexts.\n- Configure reverse proxies or WAFs to detect and block directory traversal patterns in query parameters.\n\n**Remediation Steps:**\n1. Stop the running Gonic service instance on the target host.\n2. Pull or download Gonic binary version 0.21.0 or newer from the official repository releases page.\n3. Verify the Gonic service configuration to ensure it runs under an isolated user context (e.g., `user: \"1000:1000\"` in Docker Compose).\n4. Restart the Gonic service and monitor service logs for any initialization errors or unexpected failures.\n5. Audit the playlist directory to remove any directories created with overly permissive permissions (e.g., `find /path/to/playlists -type d -perm 777`).\n\n## References\n\n- [GitHub Security Advisory GHSA-4gxv-p5g5-j7w7](https://github.com/sentriz/gonic/security/advisories/GHSA-4gxv-p5g5-j7w7)\n- [Gonic Release tag v0.21.0](https://github.com/sentriz/gonic/releases/tag/v0.21.0)\n- [Gonic GitHub Repository](https://github.com/sentriz/gonic)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49340) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T23:42:14.768669Z"}, {"uuid": "995a2927-33bb-4bb5-aee2-2ce026de04bf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49340", "type": "seen", "source": "https://gist.github.com/alon710/aef49efca881722a2606f374108f34f4", "content": "# CVE-2026-49340: CVE-2026-49340: Arbitrary File Write via Path Traversal in Gonic Subsonic Playlist Handler\n\n> **CVSS Score:** 8.1\n> **Published:** 2026-06-26\n> **Full Report:** https://cvereports.com/reports/CVE-2026-49340\n\n## Summary\nAn arbitrary file write vulnerability exists in Gonic, a music streaming server implementing the Subsonic API. Due to an unreachable guard clause combined with missing path containment validation in the playlist storage engine, authenticated users can write playlist contents to arbitrary filesystem paths with overly permissive directory permissions.\n\n## TL;DR\nA logic error and missing path sanitation in Gonic before v0.21.0 allow authenticated users to execute arbitrary file writes across the host filesystem via crafted playlist names.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-22, CWE-697, CWE-732\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 8.1 (High)\n- **Exploit Status**: poc\n- **Impact**: Arbitrary File Write / Potential Remote Code Execution\n- **Privileges Required**: Low (PR:L)\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Gonic music streaming server instances prior to version 0.21.0\n- **gonic**: < 0.21.0 (Fixed in: `0.21.0`)\n\n## Mitigation\n\n- Upgrade Gonic to version 0.21.0 or higher to apply security fixes for path traversal and validation checks.\n- Run the Gonic service as a non-root, low-privilege system user to restrict filesystem write impact.\n- Utilize Docker containers with restricted container namespaces and non-root execution contexts.\n- Configure reverse proxies or WAFs to detect and block directory traversal patterns in query parameters.\n\n**Remediation Steps:**\n1. Stop the running Gonic service instance on the target host.\n2. Pull or download Gonic binary version 0.21.0 or newer from the official repository releases page.\n3. Verify the Gonic service configuration to ensure it runs under an isolated user context (e.g., `user: \"1000:1000\"` in Docker Compose).\n4. Restart the Gonic service and monitor service logs for any initialization errors or unexpected failures.\n5. Audit the playlist directory to remove any directories created with overly permissive permissions (e.g., `find /path/to/playlists -type d -perm 777`).\n\n## References\n\n- [GitHub Security Advisory GHSA-4gxv-p5g5-j7w7](https://github.com/sentriz/gonic/security/advisories/GHSA-4gxv-p5g5-j7w7)\n- [Gonic Release tag v0.21.0](https://github.com/sentriz/gonic/releases/tag/v0.21.0)\n- [Gonic GitHub Repository](https://github.com/sentriz/gonic)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49340) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-27T00:00:58.410872Z"}, {"uuid": "b291537c-ae26-43b6-b592-960f09faf648", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49340", "type": "published-proof-of-concept", "source": "https://github.com/sentriz/gonic/security/advisories/GHSA-4gxv-p5g5-j7w7", "content": "", "creation_timestamp": "2026-06-27T00:35:12.349654Z"}]}