CVE-2026-10108
xiaomusic 0.5.7 Path Traversal via GET /music endpoint
CVSS Score
7.5
EPSS Score
0.2%
EPSS Percentile
39th
xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from sibling directories whose names share the music_path prefix by crafting traversal sequences, bypassing the path restriction due to the missing trailing separator in the comparison logic to retrieve arbitrary files from the server.
| CWE | CWE-22 |
| Vendor | hanxi |
| Product | xiaomusic |
| Published | May 29, 2026 |
| Last Updated | Jun 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for hanxi xiaomusic
Be the first to know when new high vulnerabilities affecting hanxi xiaomusic are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
hanxi / xiaomusic
0 โค 0.5.7 0 โค 88404da7a283f2c0a796a4cd16bbb6e6aa1f4722
References
github.com: https://github.com/hanxi/xiaomusic/issues/890 github.com: https://github.com/hanxi/xiaomusic/pull/891 github.com: https://github.com/hanxi/xiaomusic/commit/88404da7a283f2c0a796a4cd16bbb6e6aa1f4722 vulncheck.com: https://www.vulncheck.com/advisories/xiaomusic-path-traversal-via-get-music-endpoint
Credits
YU SUN