CVE-2026-39904
Received Received - Intake
Gophish Memory Exhaustion via Malicious Office Template

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: VulnCheck

Description
Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes Office documents as ZIP archives and calls ioutil.ReadAll() on each contained file entry without enforcing size restrictions on uncompressed content, allowing a zip bomb payload to expand to several gigabytes in memory and cause the process to be terminated by the operating system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-39904
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gophish gophish 0.12.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Gophish through version 0.12.1 and is a denial of service issue. Authenticated users with the User role can exploit it by uploading a specially crafted Office document as an email template attachment. The vulnerability arises because the ApplyTemplate() function processes Office documents as ZIP archives and reads each contained file without limiting the size of the uncompressed content. This allows a zip bomb payload to expand to several gigabytes in memory, exhausting server memory and causing the process to be terminated by the operating system.

Impact Analysis

The primary impact of this vulnerability is a denial of service condition. An attacker with authenticated User role access can cause the Gophish server to consume excessive memory by uploading a crafted Office document, leading to the server process being terminated. This can disrupt normal operations, causing downtime and potentially affecting availability of the service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39904. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart