CVE-2026-49339
Summary: CVE-2026-49339 affects gonic’s getPlaylist/deletePlaylist endpoints. A path traversal-like flaw in the ownership check allows any authenticated Subsonic user to read or delete another user’s playlist and probe host paths. The root cause is that playlist.UserID is derived from the first p...