Lucene search
K

8 matches found

EUVD
EUVD
added 2026/06/26 11:32 p.m.12 views

EUVD-2026-38062

gonic: Path Traversal in playlist id bypasses ownership check, enabling any user to read/delete other users' playlists...

7.1CVSS5.8AI score0.00262EPSS
Exploits0References4
NVD
NVD
added 2026/06/19 7:16 p.m.17 views

CVE-2026-49339

gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controll...

7.1CVSS0.00262EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/19 6:23 p.m.6 views

CVE-2026-49339

gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controll...

7.1CVSS6AI score0.00262EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/06/19 6:23 p.m.20 views

CVE-2026-49339 Path traversal in getPlaylist/deletePlaylist bypasses ownership check: any authenticated user can read or delete any other user's playlist

gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controll...

7.1CVSS0.00262EPSS
Exploits0References3
CVE
CVE
added 2026/06/19 6:23 p.m.29 views

CVE-2026-49339

Summary: CVE-2026-49339 affects gonic’s getPlaylist/deletePlaylist endpoints. A path traversal-like flaw in the ownership check allows any authenticated Subsonic user to read or delete another user’s playlist and probe host paths. The root cause is that playlist.UserID is derived from the first p...

7.1CVSS6AI score0.00262EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.21 views

PT-2026-51009

Name of the Vulnerable Software and Affected Versions gonic versions prior to 0.21.0 Description An authenticated Subsonic user can bypass ownership checks to read or delete playlists belonging to other users and probe arbitrary file paths on the host for existence or readability. This occurs...

7.1CVSS6.1AI score0.00262EPSS
Exploits0References11
OSV
OSV
added 2026/03/29 3:41 p.m.7 views

GHSA-2RM7-J397-3FQG AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking

Summary The plugin/PlayLists/View/Playlistsschedules/add.json.php endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless of ownership. When the schedule executes, the rebroadcast runs under the...

6.3CVSS6AI score0.00249EPSS
Exploits1References4
OSV
OSV
added 2024/05/01 6:39 a.m.24 views

CVE-2024-32963 Parameter Tampering vulnerability in Navidrome

Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter valu...

4.2CVSS4.8AI score0.00413EPSS
Exploits1References3
Rows per page
Query Builder