Zeroscience

**Name of the Vulnerable Software and Affected Versions** Lightweight Music Server versions prior to 3.76.1 **Description** A stored cross-site scripting issue exists where attackers can execute arbitrary JavaScript by embedding malicious HTML in media file metadata tags, specifically `GENRE`, `ARTIST`, or `ALBUM`. The payload is saved during library scanning and executed automatically in the web interface because the tag content is rendered using the `Wt::TextFormat::UnsafeXHTML` format in the `src/lms/ui/Utils.cpp` file without proper sanitization. **Recommendations** Update to a version later than 3.76.0.