Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user

Summary Swing Music's listfolders function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user including non-admin can browse arbitrary directories on the server filesystem. Details The @api.post"/dir-browser" endpoint lacks proper path...

GHSA-PJ88-9XWW-GXMH Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user

Summary Swing Music's listfolders function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user including non-admin can browse arbitrary directories on the server filesystem. Details The @api.post"/dir-browser" endpoint lacks proper path...

CVE-2026-23877

Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's listfolders function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user including non-admin can browse arbitrary directories on the server...

CVE-2026-23877 Directory Traversal & Filesystem can be accessed by a non-admin user

Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's listfolders function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user including non-admin can browse arbitrary directories on the server...

SwingMusic: Access control error vulnerability

SwingMusic is an open-source local music player developed by Swing Music. Versions of SwingMusic prior to 2.1.4 contained a access control error vulnerability. This vulnerability stemmed from a directory traversal vulnerability in the listfolders function within the /folder/dir-browser endpoint,...