Music Assistant Server
Monthly
Remote code execution in Music Assistant Server 2.6.3 and below enables unauthenticated network-adjacent attackers to execute arbitrary code through path traversal in the playlist update API, which fails to enforce file extension restrictions and allows writing malicious Python files to site-packages. The vulnerability is particularly critical because affected containers typically run as root, amplifying the impact of successful exploitation. No patch is currently available, leaving installations at risk until an upgrade to version 2.7.0 or later is performed.
Remote code execution in Music Assistant Server 2.6.3 and below enables unauthenticated network-adjacent attackers to execute arbitrary code through path traversal in the playlist update API, which fails to enforce file extension restrictions and allows writing malicious Python files to site-packages. The vulnerability is particularly critical because affected containers typically run as root, amplifying the impact of successful exploitation. No patch is currently available, leaving installations at risk until an upgrade to version 2.7.0 or later is performed.