CVE-2026-49339

gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controll...

PT-2026-51012

Name of the Vulnerable Software and Affected Versions gonic versions prior to 0.21.0 Description The Subsonic API endpoints '/rest/deletePlaylist.view' and '/rest/getPlaylist.view' lack per-resource authorization. An authenticated user, regardless of privilege level, can delete any playlist or re...

PT-2025-16336 · Peertube · Peertube

Name of the Vulnerable Software and Affected Versions: PeerTube affected versions not specified Description: The issue allows an existing user to add playlists to a different user’s channel using the PeerTube REST API. The vulnerable code sets the owner of the new playlist to be the user who...

PT-2025-16337 · Git · Peertube

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: This issue allows an attacker to add playlists to a different user's channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who perform...