Skip to main content

Swing Music CVE-2026-23877

MEDIUM
Path Traversal: '/../filedir' (CWE-25)
2026-01-19 security-advisories@github.com GHSA-pj88-9xww-gxmh
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 19, 2026 - 21:15 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's list_folders() function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue.

AnalysisAI

Swing Music is a self-hosted music player for local audio files. versions up to 2.1.4 contains a security vulnerability.

Technical ContextAI

affects Swing Music is a self-hosted music player for local audio files.. Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's list_folders() function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue.

RemediationAI

Monitor vendor advisories for a patch.

Share

CVE-2026-23877 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy