PT-2026-44924 · Xiaomusic · Xiaomusic
Yu Sun
·
Published
2026-05-29
·
Updated
2026-07-13
·
CVE-2026-10108
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
xiaomusic version 0.5.7
Description
An unauthenticated path traversal issue exists in the 'GET /music/{file path:path}' endpoint. This occurs due to an incomplete path prefix check and a missing trailing separator in the comparison logic. Unauthenticated attackers can bypass path restrictions by crafting traversal sequences to request files from sibling directories that share the
music path prefix, allowing the retrieval of arbitrary files from the server.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xiaomusic