Description
Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0.
Published: 2026-05-04
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the web UI of Beets, which uses Underscore template interpolation mode <%= ... %> for rendering metadata fields. In this mode raw data is inserted without HTML escaping, which permits attacker‑controlled markup to be embedded into the page. The generated output is then inserted into the DOM with .html(...), allowing scripts to execute in the browser. This flaw is a classic cross‑site scripting vulnerability (CWE‑79).

Affected Systems

Beets versions prior to 2.10.0 are affected. The vendor product identified by the CNA is beetbox:beets. Installing any version older than 2.10.0 exposes the web UI to this XSS risk.

Risk and Exploitability

The CVSS score of 6 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. The attack requires that an attacker can supply or modify metadata that the web UI renders; once the vulnerable UI displays the injected markup, the script runs in the victim’s browser context. The risk is therefore confined to situations where the attacker can influence the metadata and the affected user interacts with the rendered page.

Generated by OpenCVE AI on May 4, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Beets to version 2.10.0 or later, which removes the unsafe template interpolation mode.
  • Restrict access to the Beets web UI to trusted administrators only or place it behind authentication and network controls to reduce exposure.
  • If an upgrade is not immediately possible, remove or sanitize any custom metadata values that may contain user supplied content before rendering.

Generated by OpenCVE AI on May 4, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Beetbox
Beetbox beets
Vendors & Products Beetbox
Beetbox beets

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0.
Title beets is Vulnerable to XSS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Beetbox Beets
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T17:06:23.162Z

Reserved: 2026-04-23T16:05:01.710Z

Link: CVE-2026-42052

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T18:16:30.063

Modified: 2026-05-04T18:16:30.063

Link: CVE-2026-42052

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:43:54Z

Weaknesses