CVE-2026-42052

UNKNOWN 0.0

beets is Vulnerable to XSS

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0.

CWE	CWE-79
Vendor	beetbox
Product	beets
Published	May 4, 2026

Stay Ahead of the Next One

Get instant alerts for beetbox beets

Be the first to know when new unknown vulnerabilities affecting beetbox beets are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

beetbox / beets

< 2.10.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847 github.com: https://github.com/beetbox/beets/releases/tag/v2.10.0