11 matches found
CVE-2026-10108 xiaomusic 0.5.7 Path Traversal via GET /music endpoint
xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/filepath:path endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from...
CVE-2026-10108
The CVE-2026-10108 entry concerns xiaomusic v0.5.7, with an unauthenticated path traversal vulnerability in GET /music/{file_path:path}. An attacker can read arbitrary files outside the music directory by exploiting an incomplete path prefix check and a missing trailing separator in the compariso...
CVE-2026-10108 xiaomusic 0.5.7 Path Traversal via GET /music endpoint
xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/filepath:path endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from...
CVE-2025-11607 harry0703 MoneyPrinterTurbo API Endpoint music.py upload_music path traversal
A weakness has been identified in harry0703 MoneyPrinterTurbo up to 1.2.6. The impacted element is the function uploadmusic of the file app/controllers/v1/music.py of the component API Endpoint. Executing a manipulation of the argument File can lead to path traversal. The attack may be performed...
CVE-2024-42788
A Stored Cross Site Scripting XSS vulnerability was found in "/music/ajax.php?action=savemusic" in Kashipara Music Management System v1.0. This vulnerability allows remote attackers to execute arbitrary code via "title" & "artist" parameter fields...
PT-2024-30160 · Unknown · Kashipara Music Management System
Name of the Vulnerable Software and Affected Versions: Kashipara Music Management System version 1.0 Description: A Stored Cross Site Scripting XSS issue was found in the "/music/ajax.php?action=save music" endpoint, allowing remote attackers to execute arbitrary code via the title and artist...
CVE-2024-42782
A SQL injection vulnerability in "/music/ajax.php?action=findmusic" in Kashipara Music Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "search" parameter...
PT-2024-30157 · Unknown · Kashipara Music Management System
Name of the Vulnerable Software and Affected Versions: Kashipara Music Management System version 1.0 Description: A SQL injection vulnerability in the /music/index.php?page=view playlist endpoint allows an attacker to execute arbitrary SQL commands via the id parameter. This issue enables an...
PT-2024-30156 · Unknown · Kashipara Music Management System
Name of the Vulnerable Software and Affected Versions: Kashipara Music Management System version 1.0 Description: A SQL injection issue exists in the "/music/controller.php?page=view music" endpoint, allowing an attacker to execute arbitrary SQL commands via the id parameter. This enables attacke...
PT-2024-30154 · Unknown · Kashipara Music Management System
Name of the Vulnerable Software and Affected Versions: Kashipara Music Management System version 1.0 Description: A SQL injection issue in the "/music/ajax.php?action=find music" endpoint allows an attacker to execute arbitrary SQL commands via the search parameter. This enables the attacker to...
PT-2024-22851 · Unknown · Sourcecodester Music Gallery Site
Name of the Vulnerable Software and Affected Versions: SourceCodester Music Gallery Site version 1.0 Description: A critical vulnerability was found in the SourceCodester Music Gallery Site, affecting an unknown functionality of the file classes/Master.php?f=save music. This vulnerability leads t...