4 matches found
EUVD-2026-38068
gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host...
CVE-2026-49338
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can delete...
CVE-2026-49338
The CVE covers gonic, a Subsonic-compatible music server. Before 0.21.0, Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view allowed any authenticated user to delete or read any other user’s private playlist due to missing per-resource authorization. The playlist ID is bas...
UBUNTU-CVE-2021-21399
Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For more details and...