CVE-2026-39904
Deferred Deferred - Pending Action

Gophish Memory Exhaustion via Malicious Office Template

Vulnerability report for CVE-2026-39904, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: VulnCheck

Description

Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes Office documents as ZIP archives and calls ioutil.ReadAll() on each contained file entry without enforcing size restrictions on uncompressed content, allowing a zip bomb payload to expand to several gigabytes in memory and cause the process to be terminated by the operating system.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gophish gophish 0.12.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Gophish through version 0.12.1 and is a denial of service issue. Authenticated users with the User role can exploit it by uploading a specially crafted Office document as an email template attachment. The vulnerability arises because the ApplyTemplate() function processes Office documents as ZIP archives and reads each contained file without limiting the size of the uncompressed content. This allows a zip bomb payload to expand to several gigabytes in memory, exhausting server memory and causing the process to be terminated by the operating system.

Impact Analysis

The primary impact of this vulnerability is a denial of service condition. An attacker with authenticated User role access can cause the Gophish server to consume excessive memory by uploading a crafted Office document, leading to the server process being terminated. This can disrupt normal operations, causing downtime and potentially affecting availability of the service.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high memory usage or crashes of the GoPhish server process, especially after an authenticated user uploads an Office document as an email template attachment.

Since the vulnerability involves processing Office documents as ZIP archives without size restrictions, detection can involve checking for large or suspicious Office document uploads by authenticated users.

Specific commands are not provided in the available resources, but general approaches include:

  • Monitoring server logs for upload events of Office documents (.docx, .pptx, .xlsx) by users with User role.
  • Using system monitoring tools (e.g., top, htop, free) to detect spikes in memory usage corresponding to GoPhish server process.
  • Checking for process crashes or restarts of the GoPhish server.
Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability of authenticated users with the User role to upload Office document attachments as email templates.

Additionally, monitoring and limiting the size of uploaded Office documents can help prevent exploitation.

Longer-term remediation involves updating GoPhish to a version that validates both compressed and uncompressed sizes of ZIP entries, enforces strict size limits (e.g., 50MB per entry), and implements safeguards against zip bombs by tracking cumulative extracted size and limiting the total number of files processed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39904. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart