Description
Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue.
Published: 2026-01-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

Swing Music’s /folder/dir-browser endpoint contains a directory traversal flaw in the list_folders() function that allows any authenticated user—including those without admin privileges—to enumerate and retrieve files from arbitrary directories on the server. This vulnerability is a classic path traversal (CWE‑25) coupled with an improper authorization mechanism (CWE‑284), enabling the disclosure of sensitive data that may include system files or other private host content. The ability to read arbitrary paths without needing elevated rights means the attack can be launched by a normal user account, potentially exposing confidential or proprietary information.

Affected Systems

The affected software is Swing Music, a self-hosted music player maintained by swingmx. All versions prior to 2.1.4 are vulnerable; the fix was introduced in 2.1.4. Thus any deployment running Swing Music version 2.1.3 or earlier is at risk.

Risk and Exploitability

The CVSS v3.1 base score of 5.3 rates this issue as moderately severe. The EPSS score of less than 1 % indicates a low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authentication but does not rely on excessive privileges, it is likely to be exercised by any user who gains valid credentials to the application. No known remote code execution vector is indicated, so the primary risk remains confidential data exposure.

Generated by OpenCVE AI on April 18, 2026 at 15:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Swing Music to version 2.1.4 or newer to eliminate the directory traversal vulnerability.
  • If upgrading is not immediately possible, restrict the /folder/dir-browser endpoint to only authorized directories or disable it entirely for authenticated users lacking appropriate permissions.
  • Implement input validation for the path parameter in list_folders() to reject traversal sequences such as ".." or leading slashes.
  • Monitor authentication and directory access logs for anomalous traversal attempts and investigate any suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pj88-9xww-gxmh Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user
History

Fri, 13 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Swingmx swing Music
CPEs cpe:2.3:a:swingmx:swing_music:*:*:*:*:*:*:*:*
Vendors & Products Swingmx swing Music
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 20 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Swingmx
Swingmx swingmusic
Vendors & Products Swingmx
Swingmx swingmusic

Mon, 19 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
Description Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue.
Title Directory Traversal & Filesystem can be accessed by a non-admin user
Weaknesses CWE-25
CWE-284
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Swingmx Swing Music Swingmusic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T15:20:58.996Z

Reserved: 2026-01-16T21:02:02.900Z

Link: CVE-2026-23877

cve-icon Vulnrichment

Updated: 2026-01-20T15:13:49.972Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T21:15:52.147

Modified: 2026-03-13T14:42:23.030

Link: CVE-2026-23877

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses