CVE-2026-49339: gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists

The maintainer’s recent fix in 6dd71e6a3c966867ef8c900d359a7df75789f410 (fix(subsonic): enforce playlist ownership on getPlaylist/deletePlaylist) added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controlled playlist ID, with no path containment on the resolved file path.

Any authenticated Subsonic user can therefore bypass the ownership check and:

1. Read any other user’s playlist (name, comment, IsPublic flag, song list) by crafting a base64-encoded playlist ID whose first segment matches their own user ID, followed by .. traversal segments pointing into another user’s playlist directory.
2. Delete any other user’s playlist (including admin’s curated playlists) by the same trick against deletePlaylist.
3. Probe arbitrary file paths on the host for existence/readability.

This is a bypass of the boundary the 6dd71e6 fix is trying to enforce; it is closely related to the original GONIC-1 IDOR but uses a different primitive (path traversal in the id parameter rather than direct cross-user access).