CVE-2026-49340 - gonic playlist arbitrary file write
gonic before 0.21.0 can let playlist creation or update write files outside
the intended directory, including via absolute paths and overly permissive
directory creation. In multi-user media deployments this can become a direct
filesystem corruption primitive.
Affected versions
- Vulnerable:
sentriz/gonic <0.21.0 - Fixed:
0.21.0+
Remediation strategy
- Upgrade to
0.21.0+. - Resolve final playlist paths under a fixed root, reject absolute paths and traversal segments, and use least-privilege permissions for any new directories.
- Test create and update flows with malicious filenames.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-49340 in gonic. Produce either a reviewer-ready PR that
upgrades gonic, hardens playlist write-path handling, and adds regression
tests, or TRIAGE.md if this repository does not control the affected gonic
runtime or fork.
Steps:
1. Inventory gonic modules, forks, images, and playlist write paths.
2. Upgrade every controlled version to 0.21.0+.
3. Enforce final-path containment and least-privilege directory creation.
4. Add tests for absolute-path and traversal-shaped filenames.
5. Use PR title `fix(sec): remediate gonic playlist arbitrary file write`.
Verification
- No controlled gonic runtime remains below
0.21.0. - Playlist create/update flows cannot write outside the intended root.
References
- GitHub Advisory Database entry: https://github.com/advisories?query=CVE-2026-49340
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49340