CVE-2026-49128
7.5 HIGHMusic Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::...
Published: 2026-05-28 · Last updated: 2026-05-29
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-22
Description
Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-49128
- [Other]https://github.com/MusicPlayerDaemon/MPD/commit/0b5315b9e5a42cb0e88bf46a7579bb5641543f60
- [Other]https://github.com/MusicPlayerDaemon/MPD/issues/2484
- [Other]https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11
- [Other]https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html
- [Other]https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS
- [Other]https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/
- [Other]https://www.vulncheck.com/advisories/music-player-daemon-path-traversal-via-localstorage-uri-handling
- [Other]https://github.com/MusicPlayerDaemon/MPD/issues/2484
Related CVEs
Same CWE
- CVE-2026-48777 — FileBrowser Quantum is a free, self-hosted, web-based file manager
- CVE-2026-8442 — The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)
- CVE-2026-49766 — Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
- CVE-2026-49061 — Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
- CVE-2026-40779 — Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)