CVE-2026-49128

CVE Database · CVE-2026-49128

CVE-2026-49128

· HIGHDeferred

CVSS v3.1

7.5

CVSS v4.0

8.7

EPSS

0.50%

Published

May 28, 2026

Modified

May 29, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-22

References (8)

https://github.com/MusicPlayerDaemon/MPD/commit/0b5315b9e5a42cb0e88bf46a7579bb5641543f60

https://github.com/MusicPlayerDaemon/MPD/issues/2484

https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11

https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html

https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS

https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/

https://www.vulncheck.com/advisories/music-player-daemon-path-traversal-via-localstorage-uri-handling

https://github.com/MusicPlayerDaemon/MPD/issues/2484

KEV Catalog EPSS Scores Vendors All CVEs