PT-2026-44497 · Unknown · Music Player Daemon
Daniele Berardinelli
+1
·
Published
2026-05-28
·
Updated
2026-05-28
·
CVE-2026-49130
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Music Player Daemon (MPD) versions prior to 0.24.11
Description
A CRLF injection issue exists in the
xspf char data() function within the XSPF playlist plugin. This occurs because Expat decodes XML numeric character references before the character data callback, allowing attackers to embed literal Carriage Return (CR) and Line Feed (LF) bytes in URI fields by providing a malicious XSPF playlist. Consequently, forged key-value lines can be injected via the location field into the state file writer and MPD protocol responses, specifically the 'playlistinfo', 'currentsong', and 'listplaylist' outputs.Recommendations
Update to version 0.24.11 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Music Player Daemon