Description
xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from sibling directories whose names share the music_path prefix by crafting traversal sequences, bypassing the path restriction due to the missing trailing separator in the comparison logic to retrieve arbitrary files from the server.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Xiaomusic version 0.5.7 contains an unauthenticated path traversal flaw in its GET /music/{file_path:path} endpoint. The vulnerability arises from an incomplete path prefix check, where the comparison logic overlooks the trailing separator. Attackers can craft traversal sequences that bypass the intended music directory restriction and read arbitrary files on the host. The consequences are loss of confidentiality, as sensitive files outside the music folder can be exposed to any user without authentication.

Affected Systems

This weakness affects systems running the Xiaomusic application from the vendor hanxi, specifically version 0.5.7. No additional affected version information is supplied, so any deployment of this exact release is vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. The EPSS score is not provided, but the flaw is known to be exploitable server‑side without authentication or special privileges. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a remote HTTP GET request sent to the /music endpoint, as the flaw does not require authentication or additional software installation.

Generated by OpenCVE AI on May 29, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xiaomusic to a patched version that resolves the path traversal flaw. If an update is not immediately available, remove or disable the GET /music endpoint or restrict it to authenticated users only.
  • Ensure the server only serves files from the intended music directory by configuring route checks or applying filesystem access controls.
  • Validate and sanitize any user‑supplied file path parameters on the server to guarantee they do not reference files outside the allowed directory.

Generated by OpenCVE AI on May 29, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from sibling directories whose names share the music_path prefix by crafting traversal sequences, bypassing the path restriction due to the missing trailing separator in the comparison logic to retrieve arbitrary files from the server.
Title xiaomusic 0.5.7 Path Traversal via GET /music endpoint
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T16:51:41.221Z

Reserved: 2026-05-29T16:45:04.347Z

Link: CVE-2026-10108

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-29T18:16:31.310

Modified: 2026-05-29T18:16:31.310

Link: CVE-2026-10108

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:30:05Z

Weaknesses