CVE-2026-26975

CVSS v3.1

8.8

Vector

AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Music Assistant versions 2.6.3 and below

Description Music Assistant, an open-source media library manager, is susceptible to unauthenticated remote code execution from network-adjacent attackers. The issue stems from a bypass of the .m3u extension enforcement within the

/music/playlists/update

API endpoint, allowing attackers to write files to arbitrary locations on the filesystem. The application runs as root, exacerbating the impact. Exploitation involves writing a malicious .pth file to the Python site-packages directory, leading to arbitrary command execution upon Python loading. The

update

API endpoint and the

.pth

file are key components in the exploitation process.

Recommendations Update to version 2.7.0 or later.

Exploit

Fix

RCE

Path traversal

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-434CWE-73

Related Identifiers

CVE-2026-26975

GHSA-7JCC-P6XR-835J

Affected Products

Music Assistant

CVE-2026-26975

Weakness Enumeration

Related Identifiers

Affected Products

References · 8