PT-2026-44924 · Xiaomusic · Xiaomusic

Yu Sun

·

Published

2026-05-29

·

Updated

2026-07-13

·

CVE-2026-10108

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions xiaomusic version 0.5.7
Description An unauthenticated path traversal issue exists in the 'GET /music/{file path:path}' endpoint. This occurs due to an incomplete path prefix check and a missing trailing separator in the comparison logic. Unauthenticated attackers can bypass path restrictions by crafting traversal sequences to request files from sibling directories that share the music path prefix, allowing the retrieval of arbitrary files from the server.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-10108
GHSA-5J8P-5RRJ-8WJG
PYSEC-2026-3429

Affected Products

Xiaomusic