Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes Office documents as ZIP archives and calls ioutil.ReadAll() on each contained file entry without enforcing size restrictions on uncompressed content, allowing a zip bomb payload to expand to several gigabytes in memory and cause the process to be terminated by the operating system.
References
Configurations
No configuration.
History
22 Jun 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-22 21:16
Updated : 2026-07-14 21:16
NVD link : CVE-2026-39904
Mitre link : CVE-2026-39904
CVE.ORG link : CVE-2026-39904
JSON object : View
Products Affected
No product.
CWE
CWE-770
Allocation of Resources Without Limits or Throttling
