Lucene search
K

61 matches found

EUVD
EUVD
added 2026/06/26 11:33 p.m.13 views

EUVD-2026-38067

Subsonic API: any authenticated user can delete or read any other user's playlist IDOR...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/26 11:21 p.m.14 views

EUVD-2026-38068

gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host...

8.1CVSS5.9AI score0.00269EPSS
Exploits0References2
NVD
NVD
added 2026/06/19 7:16 p.m.11 views

CVE-2026-49338

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can delete...

7.1CVSS0.00168EPSS
Exploits0References2
NVD
NVD
added 2026/06/19 7:16 p.m.15 views

CVE-2026-49339

gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controll...

7.1CVSS0.00262EPSS
Exploits0References3
NVD
NVD
added 2026/06/19 7:16 p.m.12 views

CVE-2026-49340

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in ServeCreateOrUpdatePlaylist allows any authenticated Subsonic user including non-admin to write playlist M3U content to an attacker-controlled absolute filesystem path o...

8.1CVSS0.00269EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/19 7:11 p.m.22 views

CVE-2026-49340 gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in ServeCreateOrUpdatePlaylist allows any authenticated Subsonic user including non-admin to write playlist M3U content to an attacker-controlled absolute filesystem path o...

8.1CVSS0.00269EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/19 7:8 p.m.5 views

CVE-2026-49338

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can delete...

7.1CVSS5.9AI score0.00168EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/06/19 7:8 p.m.25 views

CVE-2026-49338

The CVE covers gonic, a Subsonic-compatible music server. Before 0.21.0, Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view allowed any authenticated user to delete or read any other user’s private playlist due to missing per-resource authorization. The playlist ID is bas...

7.1CVSS5.9AI score0.00168EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/19 6:23 p.m.6 views

CVE-2026-49339

gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controll...

7.1CVSS6AI score0.00262EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/06/19 6:23 p.m.20 views

CVE-2026-49339 Path traversal in getPlaylist/deletePlaylist bypasses ownership check: any authenticated user can read or delete any other user's playlist

gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controll...

7.1CVSS0.00262EPSS
Exploits0References3
CVE
CVE
added 2026/06/19 6:23 p.m.27 views

CVE-2026-49339

Summary: CVE-2026-49339 affects gonic’s getPlaylist/deletePlaylist endpoints. A path traversal-like flaw in the ownership check allows any authenticated Subsonic user to read or delete another user’s playlist and probe host paths. The root cause is that playlist.UserID is derived from the first p...

7.1CVSS6AI score0.00262EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.20 views

PT-2026-51012

Name of the Vulnerable Software and Affected Versions gonic versions prior to 0.21.0 Description The Subsonic API endpoints '/rest/deletePlaylist.view' and '/rest/getPlaylist.view' lack per-resource authorization. An authenticated user, regardless of privilege level, can delete any playlist or re...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.25 views

PT-2026-51013

Name of the Vulnerable Software and Affected Versions Gonic versions prior to 0.21.0 Description A logic error in the ServeCreateOrUpdatePlaylist function allows for arbitrary file write operations within the music streaming server. Recommendations Update to version 0.21.0 or later. As a temporar...

8.1CVSS5.9AI score0.00269EPSS
Exploits0References8
IBM Security Bulletins
IBM Security Bulletins
added 2026/01/30 9:14 a.m.6 views

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Path Traversal vulnerability due to github.com/gin-gonic/gin

Summary github.com/gin-gonic/gin is used by IBM watsonx Orchestrate Developer Edition as part of image: tools-runtime-manager Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|--- IBM watson...

5.9AI score
Exploits0Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2022-7542

Malicious code in bioql PyPI...

7.5CVSS5.9AI score0.01448EPSS
Exploits1References6
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2024-1974

Malicious code in bioql PyPI...

9.1CVSS7AI score0.00428EPSS
Exploits0References7
Tenable Nessus
Tenable Nessus
added 2025/08/27 12:0 a.m.4 views

Linux Distros Unpatched Vulnerability : CVE-2019-25211

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/ is allowed...

9.1CVSS6.6AI score0.00428EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2024/11/06 2:30 p.m.35 views

Important: Red Hat Security Advisory: OpenShift Container Platform 4.13.53 bug fix and security update

Red Hat OpenShift Container Platform release 4.13.53 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a...

7.5CVSS7.1AI score0.91969EPSS
Exploits2References10
RedhatCVE
RedhatCVE
added 2024/07/05 5:7 a.m.19 views

CVE-2019-25211

parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/ is allowed when the intention is that only https://example.com/ should be allowed, and http://localhost.example.com/ is allowed when the intention is...

6.5CVSS9AI score0.00428EPSS
Exploits0References9
SUSE CVE
SUSE CVE
added 2024/07/04 4:24 a.m.4 views

SUSE CVE-2019-25211

parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/ is allowed when the intention is that only https://example.com/ should be allowed, and http://localhost.example.com/ is allowed when the intention is...

9.1CVSS6.9AI score0.00428EPSS
Exploits0References3
Rows per page
Query Builder