Home

Description

Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes Office documents as ZIP archives and calls ioutil.ReadAll() on each contained file entry without enforcing size restrictions on uncompressed content, allowing a zip bomb payload to expand to several gigabytes in memory and cause the process to be terminated by the operating system.

PUBLISHED Reserved 2026-04-07 | Published 2026-06-22 | Updated 2026-06-23 | Assigner VulnCheck




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem types

Allocation of Resources Without Limits or Throttling

Product status

Default status
affected

Any version
affected

Credits

Ashik Mohamed (ashikmd7) finder

References

github.com/...hment Processing Leads to Server DoS/README.md (Researcher Disclosure) technical-description exploit

www.vulncheck.com/...l-of-service-via-office-document-upload third-party-advisory

cve.org (CVE-2026-39904)

nvd.nist.gov (CVE-2026-39904)

Download JSON