CVE-2026-49338 - gonic playlist path traversal
gonic before 0.21.0 can allow path traversal through Subsonic playlist
handlers. Crafted playlist paths can reach filesystem content outside the
intended media library boundary.
Affected versions
- Vulnerable:
sentriz/gonic <0.21.0 - Fixed:
0.21.0+
Remediation strategy
- Upgrade to
0.21.0+. - Normalize playlist paths, reject absolute paths and traversal segments, and verify the final resolved path stays under the intended playlist root.
- Re-check any custom forks or wrappers around playlist handlers.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-49338 / GHSA-hmgp-w9jm-vp95 in gonic. Produce either a
reviewer-ready PR that upgrades gonic, hardens playlist path containment, and
adds regression tests, or TRIAGE.md if this repository does not control the
affected gonic runtime or fork.
Steps:
1. Inventory gonic modules, forks, images, and playlist handlers.
2. Upgrade every controlled version to 0.21.0+.
3. Add or verify final-path containment for playlist operations.
4. Add regression tests for traversal payloads.
5. Use PR title `fix(sec): remediate gonic playlist path traversal`.
Verification
- No controlled gonic runtime remains below
0.21.0. - Playlist handlers reject traversal payloads and stay under the intended root.