PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39904 gophish CVE debrief

CVE-2026-39904 is a high-severity denial of service vulnerability in Gophish, a popular open-source phishing toolkit. The vulnerability, which has a CVSS score of 7.1, allows authenticated users with the User role to upload a crafted Office document as an email template attachment, which can cause the server to run out of memory and terminate. This is possible because the ApplyTemplate() function in models/attachment.go processes Office documents as ZIP archives and calls ioutil.ReadAll() on each contained file entry without enforcing size restrictions on uncompressed content. As a result, a malicious user can upload a zip bomb payload that expands to several gigabytes in memory, causing the process to be terminated by the operating system. Users of Gophish should take immediate action to mitigate this vulnerability.

Vendor
gophish
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-22
Original CVE updated
2026-06-23
Advisory published
2026-06-22
Advisory updated
2026-06-23

Who should care

Users of Gophish, particularly those with authenticated users with the User role, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a patched version of Gophish and monitoring for suspicious activity. Additionally, administrators should consider implementing compensating controls, such as limiting the size of email template attachments and monitoring server memory usage.

Technical summary

The vulnerability is caused by the ApplyTemplate() function in models/attachment.go, which processes Office documents as ZIP archives and calls ioutil.ReadAll() on each contained file entry without enforcing size restrictions on uncompressed content. This allows a malicious user to upload a zip bomb payload that can cause the server to run out of memory and terminate. The vulnerability has a CVSS score of 7.1 and is classified as a high-severity issue.

Defensive priority

High

Recommended defensive actions

  • Upgrade to a patched version of Gophish
  • Limit the size of email template attachments
  • Monitor server memory usage
  • Implement compensating controls, such as rate limiting and IP blocking
  • Monitor for suspicious activity

Evidence notes

The vulnerability was reported by Vulncheck and is described in a GitHub advisory. The CVE record was published on June 22, 2026, and the NVD detail was updated on June 23, 2026. The vulnerability has a CVSS score of 7.1 and is classified as a high-severity issue.

Official resources

This article was generated with AI assistance based on the supplied source corpus.