Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

MusicPlayerDaemon

Source -

CNA

BOS Name -

N/A

CNA CVEs -

4

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
4Vulnerabilities found
CVE-2026-49130
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-6.9||MEDIUM
EPSS-0.05% / 15.52%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 19:12
Updated-29 May, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx

Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat's decoding of numeric character references prior to the character data callback.

Action-Not Available
Vendor-MusicPlayerDaemon
Product-MPD
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2026-49129
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-6.9||MEDIUM
EPSS-0.04% / 14.24%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 19:10
Updated-29 May, 2026 | 14:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Music Player Daemon < 0.24.11 SSRF via CurlInputPlugin

Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP server to redirect to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp. Attackers can trigger this vulnerability via MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load, to interact with internal or restricted network services on systems running libcurl versions prior to 7.85.0.

Action-Not Available
Vendor-MusicPlayerDaemon
Product-MPD
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-49128
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.11% / 29.54%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 19:02
Updated-29 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Music Player Daemon < 0.24.11 Path Traversal via LocalStorage URI Handling

Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.

Action-Not Available
Vendor-MusicPlayerDaemon
Product-MPD
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-49127
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-0.06% / 19.86%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:59
Updated-29 May, 2026 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be

Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.

Action-Not Available
Vendor-MusicPlayerDaemon
Product-MPD
CWE ID-CWE-193
Off-by-one Error