Skip to main content

Mpd EUVDEUVD-2026-33001

| CVE-2026-49128 HIGH
Path Traversal (CWE-22)
2026-05-28 VulnCheck GHSA-r679-wq5x-vg3g
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 28, 2026 - 20:28 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 20:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 20:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Source Code Evidence Fetched
May 28, 2026 - 20:20 vuln.today
Analysis Generated
May 28, 2026 - 20:20 vuln.today

DescriptionCVE.org

Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.

AnalysisAI

Information disclosure in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to read arbitrary directories and image files outside the configured music_directory via path traversal in the local storage plugin. The flaw, reported by VulnCheck, is exploitable through the standard MPD protocol commands listfiles and albumart, and a vendor patch is available in 0.24.11. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects trivial network-based exploitation against any default-configured MPD instance reachable on its protocol port.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-33001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy