CVE-2025-15414

MEDIUM 4.7

go-sonic Theme Fetching API git_fetcher.go FetchTheme server-side request forgery

CVSS Score

4.7

EPSS Score

0.0%

EPSS Percentile

0th

A flaw has been found in go-sonic sonic up to 1.1.4. The affected element is the function FetchTheme of the file service/theme/git_fetcher.go of the component Theme Fetching API. Executing a manipulation of the argument uri can lead to server-side request forgery. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-918
Vendor	go-sonic
Product	sonic
Published	Jan 1, 2026
Last Updated	Feb 23, 2026

Stay Ahead of the Next One

Get instant alerts for go-sonic sonic

Be the first to know when new medium vulnerabilities affecting go-sonic sonic are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

go-sonic / sonic

1.1.0 1.1.1 1.1.2 1.1.3 1.1.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.339335 vuldb.com: https://vuldb.com/?ctiid.339335 vuldb.com: https://vuldb.com/?submit.719789 note-hxlab.wetolink.com: https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ note-hxlab.wetolink.com: https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ#-span--strong-proof-of-concept---strong---span-

Credits

🔍 hiro (VulDB User)