top of page
perceptive_background_267k.jpg

Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the loca…

Published:

27 mei 2026 om 22:00:00

Alert date:

28 mei 2026 om 21:01:38

Source:

nvd.nist.gov

Click to open the original link from this advisory

Enterprise Applications

Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in the local storage plugin. The vulnerability exists in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 functions where user-supplied URIs are joined with storage root paths without proper canonicalization. This allows '..' segments to survive and enables directory traversal attacks. Unauthenticated attackers can exploit this using the listfiles command to enumerate arbitrary directories and the albumart command to read image files outside the configured music directory. The flaw affects any directories readable by the MPD process.

Technical details

Mitigation steps:

Affected products:

Music Player Daemon (MPD)

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-49128
https://github.com/MusicPlayerDaemon/MPD/commit/0b5315b9e5a42cb0e88bf46a7579bb5641543f60
https://github.com/MusicPlayerDaemon/MPD/issues/2484
https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11
https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS
https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/
https://www.vulncheck.com/advisories/music-player-daemon-path-traversal-via-localstorage-uri-handling

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page