HIGH8.1CVE-2026-49340gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host
from 0, < 0.21.0
HIGH7.1CVE-2026-49338Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)
from 0, < 0.21.0
HIGH7.1CVE-2026-49339gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists