Skip to main content

xiaomusic CVE-2026-10108

| EUVDEUVD-2026-33366 HIGH
Path Traversal (CWE-22)
2026-05-29 VulnCheck GHSA-5j8p-5rrj-8wjg
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 29, 2026 - 18:28 vuln.today
v3 (cvss_changed)
Analysis Updated
May 29, 2026 - 18:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 29, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
May 29, 2026 - 18:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Source Code Evidence Fetched
May 29, 2026 - 17:55 vuln.today
Analysis Generated
May 29, 2026 - 17:55 vuln.today

DescriptionCVE.org

xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from sibling directories whose names share the music_path prefix by crafting traversal sequences, bypassing the path restriction due to the missing trailing separator in the comparison logic to retrieve arbitrary files from the server.

AnalysisAI

{file_path:path} endpoint. The flaw stems from comparing an attacker-controlled absolute path against the music base path without a trailing separator, so sibling directories sharing the base name's prefix are reachable. No public exploit identified at time of analysis, but the upstream commit publicly discloses the exact bypass technique.

Technical ContextAI

xiaomusic is a Python-based music streaming service (vendor: hanxi) that exposes HTTP routes under /music/ and /picture/ to serve files from a configured base directory. The vulnerability is a textbook CWE-22 (Path Traversal) caused by a classic 'startswith' prefix-check bug in xiaomusic/api/routers/file.py: the code verified that the resolved absolute_file_path started with the configured base directory string but did not append os.sep, so a base of '/srv/music' would also match '/srv/music_secret/' or '/srv/musicbackup/'. The PR #891 fix appends + os.sep to both temp_base and absolute_path comparisons in the music_file handler and in get_picture, confirming the affected CPE cpe:2.3:a:hanxi:xiaomusic:*:*:*:*:*:*:*:*.

RemediationAI

Upstream fix available (commit 88404da7a283f2c0a796a4cd16bbb6e6aa1f4722 via PR #891); a tagged released patched version is not independently confirmed from the input data, so operators should track the hanxi/xiaomusic repository for a post-0.5.7 release and upgrade as soon as it is published, referencing https://github.com/hanxi/xiaomusic/commit/88404da7a283f2c0a796a4cd16bbb6e6aa1f4722 and the VulnCheck advisory https://www.vulncheck.com/advisories/xiaomusic-path-traversal-via-get-music-endpoint. Until then, apply the one-line patch locally to xiaomusic/api/routers/file.py changing the three startswith(base) checks to startswith(base + os.sep) in the music_file and get_picture handlers. Compensating controls: place xiaomusic behind an authenticating reverse proxy or VPN so /music/ and /picture/ endpoints are not reachable by untrusted clients (trade-off: breaks direct mobile/smart-speaker access on untrusted networks); add a reverse-proxy URL filter that rejects requests containing .., URL-encoded %2e%2e, or backslashes on the /music/ and /picture/ paths (trade-off: encoding variants may bypass naive filters); and ensure the music_path directory has no sibling directories whose names share its prefix on the filesystem (trade-off: only a partial mitigation since attackers can still reach files inside legitimate siblings).

Share

CVE-2026-10108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy