CVE-2026-48559

MEDIUM 5.4

Lightweight Music Server 3.76.0 Stored XSS via Media File Metadata Tags

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

Lightweight Music Server (LMS) though 3.76.0 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript by embedding malicious HTML in media file metadata tags such as GENRE, ARTIST, or ALBUM. Attackers can introduce a crafted media file into the victim's library, causing the payload to be saved during library scanning and executed automatically in the web interface due to tag content being rendered using Wt::TextFormat::UnsafeXHTML without sanitization in src/lms/ui/Utils.cpp.

CWE	CWE-79
Vendor	epoupon
Product	lms
Published	Jun 1, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for epoupon lms

Be the first to know when new medium vulnerabilities affecting epoupon lms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

epoupon / lms

0 ≤ 3.76.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

zeroscience.mk: https://www.zeroscience.mk/#/advisories/ZSL-2026-5987 github.com: https://github.com/epoupon/lms/issues/844 github.com: https://github.com/epoupon/lms/milestone/94 vulncheck.com: https://www.vulncheck.com/advisories/lightweight-music-server-stored-xss-via-media-file-metadata-tags

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab