Denial of Service Vulnerability in Gophish by Phish Insight
CVE-2026-39904

7.1HIGH

Key Information:

Vendor: Gophish
Status: Gophish
Vendor: CVE Published:; 22 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-39904?

Gophish version 0.12.1 exhibits a denial of service vulnerability that allows authenticated users with limited access (User role) to overwhelm server resources. By uploading a specially crafted Office document as an email template attachment, an attacker can exploit the ApplyTemplate() function. This function handles Office documents as ZIP archives without proper size restrictions. As a result, an unbounded memory allocation occurs, enabling a zip bomb payload to expand drastically when processed, leading the server to exhaust its memory and crash. This vulnerability necessitates immediate attention to prevent potential service disruptions.

Affected Version(s)

gophish 0 <= 0.12.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-39904 - Proof of Concept

References

https://github.com/ashikmd7/GoPhish-0.12.1/blob/main/Unbo...

technical-descriptionexploit

https://www.vulncheck.com/advisories/gophish-denial-of-se...

third-party-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 22, 2026
👾
Exploit known to exist
Jun 22, 2026
Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Ashik Mohamed (ashikmd7)

CVE-2026-39904 Data

JSON