Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-49128
Deferred
More InfoOfficial Page
Source-disclosure@vulncheck.com
View Known Exploited Vulnerability (KEV) details
Published At-28 May, 2026 | 20:16
Updated At-29 May, 2026 | 14:16

Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-22Secondarydisclosure@vulncheck.com
CWE ID: CWE-22
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/MusicPlayerDaemon/MPD/commit/0b5315b9e5a42cb0e88bf46a7579bb5641543f60disclosure@vulncheck.com
N/A
https://github.com/MusicPlayerDaemon/MPD/issues/2484disclosure@vulncheck.com
N/A
https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11disclosure@vulncheck.com
N/A
https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.htmldisclosure@vulncheck.com
N/A
https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWSdisclosure@vulncheck.com
N/A
https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/disclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/music-player-daemon-path-traversal-via-localstorage-uri-handlingdisclosure@vulncheck.com
N/A
https://github.com/MusicPlayerDaemon/MPD/issues/2484134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://github.com/MusicPlayerDaemon/MPD/commit/0b5315b9e5a42cb0e88bf46a7579bb5641543f60
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/MusicPlayerDaemon/MPD/issues/2484
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/music-player-daemon-path-traversal-via-localstorage-uri-handling
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/MusicPlayerDaemon/MPD/issues/2484
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A
Change History
0Changes found
Details not found