Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (vulncheck) · only source for this CVE.
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Lightweight Music Server (LMS) though 3.76.0 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript by embedding malicious HTML in media file metadata tags such as GENRE, ARTIST, or ALBUM. Attackers can introduce a crafted media file into the victim's library, causing the payload to be saved during library scanning and executed automatically in the web interface due to tag content being rendered using Wt::TextFormat::UnsafeXHTML without sanitization in src/lms/ui/Utils.cpp.
AnalysisAI
Stored cross-site scripting in Lightweight Music Server (LMS) through version 3.76.0 allows low-privileged authenticated attackers to plant persistent JavaScript payloads via crafted media file metadata fields (GENRE, ARTIST, ALBUM) that execute automatically in any victim's browser upon browsing the web interface. The root cause is unsanitized rendering of library metadata using Wt::TextFormat::UnsafeXHTML in src/lms/ui/Utils.cpp, meaning payloads survive library scanning and are stored permanently. No public exploit code or CISA KEV listing has been identified at time of analysis; VulnCheck and ZeroScience (ZSL-2026-5987) have published coordinated advisories disclosing the vulnerability.
Technical ContextAI
LMS is a self-hosted music streaming server built on the Wt (Web Toolkit) C++ web framework, which handles server-side rendering of the web UI. During library scanning, LMS parses media file metadata tags - such as ID3 tags in MP3 files, Vorbis comment fields in FLAC/OGG, or equivalent formats - and persists the raw tag values (GENRE, ARTIST, ALBUM) into its database. The vulnerable rendering path in src/lms/ui/Utils.cpp uses Wt::TextFormat::UnsafeXHTML to display this stored content, a Wt rendering mode that explicitly bypasses HTML sanitization and passes tag content directly to the browser as raw markup. CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS) is the applicable root cause class: untrusted external input (media file metadata) is stored without sanitization and later injected into HTML output without escaping, enabling arbitrary script execution in the victim's browser origin context. No CPE strings were provided in the source intelligence; affected scope is derived from the CVE description and advisory references.
RemediationAI
No vendor-released patched version has been independently confirmed in the available intelligence - the GitHub milestone 94 (https://github.com/epoupon/lms/milestone/94) appears to track the upstream fix but a tagged release beyond 3.76.0 has not been confirmed at time of analysis. Administrators should monitor the LMS GitHub repository (https://github.com/epoupon/lms) for a release that closes issue #844 and upgrade immediately upon availability. Until a patch is released, the most effective compensating control is restricting write access to the media library directory so only trusted administrators can introduce new files, thereby preventing untrusted parties from planting crafted metadata; the trade-off is loss of collaborative or user-contributed library functionality. Administrators of multi-user deployments should also audit recently-added media files for suspicious content in GENRE, ARTIST, and ALBUM fields. As an additional measure, restricting web UI access to trusted users or isolating the LMS instance to a private network reduces the exposed victim population. Content Security Policy (CSP) headers, if configurable in the Wt framework or reverse proxy layer, could mitigate the impact of XSS execution even if the payload fires. Consult the VulnCheck advisory at https://www.vulncheck.com/advisories/lightweight-music-server-stored-xss-via-media-file-metadata-tags and ZeroScience ZSL-2026-5987 at https://www.zeroscience.mk/#/advisories/ZSL-2026-5987 for additional remediation context.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33640
GHSA-m7jj-hw4m-mc77