Description
Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes Office documents as ZIP archives and calls ioutil.ReadAll() on each contained file entry without enforcing size restrictions on uncompressed content, allowing a zip bomb payload to expand to several gigabytes in memory and cause the process to be terminated by the operating system.
Published: 2026-06-22
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user with the User role to trigger a denial of service by uploading a specially crafted Office document as an email template attachment. The ApplyTemplate function processes the document as a ZIP archive and calls ReadAll on each file entry without enforcing size limits on the uncompressed content, enabling a zip bomb payload to consume gigabytes of memory and cause the server process to terminate. This results in a loss of availability for all users hosted on the affected Gophish instance.

Affected Systems

The flaw exists in Gophish version 0.12.1 and prior releases of the web phishing platform. Users who possess the User role can initiate the attack by uploading Office documents via the attachment feature in the web interface.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate severity, and while EPSS data is not available, the lack of a KEV listing suggests that mass exploitation has not yet been observed. The attack requires authentication and the ability to upload attachments, making it a potential insider threat. The impact is a service outage caused by memory exhaustion, which can be easily reproduced with a crafted input, resulting in a moderate to high risk for organizations running the vulnerable version.

Generated by OpenCVE AI on June 22, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Gophish release once a patch is available
  • Restrict uploads of Office documents to a reasonable size and disable the feature if it is not required, implementing server‑side checks to block uncompressed payloads that exceed the threshold
  • Monitor memory usage and configure alerts to detect abnormal spikes, applying temporary controls such as rate limiting or rejecting large ZIP archives until a patch is applied

Generated by OpenCVE AI on June 22, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes Office documents as ZIP archives and calls ioutil.ReadAll() on each contained file entry without enforcing size restrictions on uncompressed content, allowing a zip bomb payload to expand to several gigabytes in memory and cause the process to be terminated by the operating system.
Title Gophish 0.12.1 Denial of Service via Office Document Upload
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T20:11:14.670Z

Reserved: 2026-04-07T20:57:06.209Z

Link: CVE-2026-39904

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T22:30:07Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling