Description
Lightweight Music Server (LMS) though 3.76.0 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript by embedding malicious HTML in media file metadata tags such as GENRE, ARTIST, or ALBUM. Attackers can introduce a crafted media file into the victim's library, causing the payload to be saved during library scanning and executed automatically in the web interface due to tag content being rendered using Wt::TextFormat::UnsafeXHTML without sanitization in src/lms/ui/Utils.cpp.
Published: 2026-06-01
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows attackers to embed arbitrary JavaScript in media file metadata such as GENRE, ARTIST, or ALBUM. When the server scans the library, the unsanitized metadata is saved and rendered in the web interface using an unsafe XHTML formatter, causing the malicious script to execute in the victim’s browser. This can lead to session hijacking, defacement, or theft of sensitive information in the context of the LMS web application.

Affected Systems

epoupon Lightweight Music Server version 3.76.0 is affected; no other products or versions were noted in the advisory.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk level. EPSS is not available and the issue is not listed in CISA’s KEV catalog, suggesting limited availability of public exploits. The likely attack path requires an attacker to place a crafted media file into the library—either by uploading or by otherwise adding the file—to trigger the stored XSS when users view the library in the web interface. The exploitation does not require privilege escalation or authentication bypass, but it does depend on the attacker’s ability to influence the media library contents.

Generated by OpenCVE AI on June 1, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Lightweight Music Server to the latest release that includes the metadata sanitization fix.
  • If an immediate update is unavailable, sanitize or delete the GENRE, ARTIST, and ALBUM tags from existing media files before scanning, or avoid using media files that contain custom metadata.
  • Restrict media file uploads or imports to trusted users and enforce validation of metadata before it is stored.
  • Monitor web interface activity for unexpected JavaScript execution or anomalous page behavior.

Generated by OpenCVE AI on June 1, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Lightweight Music Server (LMS) though 3.76.0 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript by embedding malicious HTML in media file metadata tags such as GENRE, ARTIST, or ALBUM. Attackers can introduce a crafted media file into the victim's library, causing the payload to be saved during library scanning and executed automatically in the web interface due to tag content being rendered using Wt::TextFormat::UnsafeXHTML without sanitization in src/lms/ui/Utils.cpp.
Title Lightweight Music Server 3.76.0 Stored XSS via Media File Metadata Tags
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-01T19:27:14.775Z

Reserved: 2026-05-21T18:34:46.418Z

Link: CVE-2026-48559

cve-icon Vulnrichment

Updated: 2026-06-01T19:27:09.551Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T15:16:37.843

Modified: 2026-06-01T16:55:20.100

Link: CVE-2026-48559

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T16:45:16Z

Weaknesses