CVE-2026-48559

Name of the Vulnerable Software and Affected Versions Lightweight Music Server versions prior to 3.76.1

Description A stored cross-site scripting issue exists where attackers can execute arbitrary JavaScript by embedding malicious HTML in media file metadata tags, specifically GENRE, ARTIST, or ALBUM. The payload is saved during library scanning and executed automatically in the web interface because the tag content is rendered using the Wt::TextFormat::UnsafeXHTML format in the src/lms/ui/Utils.cpp file without proper sanitization.

Recommendations Update to a version later than 3.76.0.