Is there a patch available for CVE-2026-49130?

Yes, a patch is available for CVE-2026-49130. Update the affected software to the latest version immediately.

Music Player Daemon CVE-2026-49130

Q: What is the CVSS score of CVE-2026-49130?

CVE-2026-49130 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-33006 MEDIUM

Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)

2026-05-28 VulnCheck

Code Injection Mpd

6.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 28, 2026 - 20:23 vuln.today

Analysis Generated

May 28, 2026 - 20:23 vuln.today

CVSS changed

May 28, 2026 - 20:22 NVD

5.3 (MEDIUM) 6.9 (MEDIUM)

DescriptionNVD

Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat's decoding of numeric character references prior to the character data callback.

AnalysisAI

CRLF injection in Music Player Daemon (MPD) before version 0.24.11 enables network-accessible, unauthenticated attackers to embed raw CR/LF bytes into URI fields parsed from malicious XSPF playlists, injecting forged key-value lines into MPD text protocol responses - including playlistinfo, currentsong, and listplaylist outputs - as well as the persistent state file. The root mechanism is Expat's decoding of XML numeric character references (e.g., 
) before invoking the character data callback in xspf_char_data, bypassing any empty-string checks that previously served as the only guard. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-49130 vulnerability details – vuln.today

Back

Music Player Daemon CVE-2026-49130

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

Share

Music Player Daemon CVE-2026-49130

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code