CVE-2026-49130 - Vulnerability Details

- Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx

Description

Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat's decoding of numeric character references prior to the character data callback.

Published: 2026-05-28

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Music Player Daemon (MPD) versions prior to 0.24.11 contain a CRLF injection flaw within the XSPF playlist plugin. The bug originates in the xspf_char_data function, where Expat decodes numeric character references before passing character data to the callback. An attacker can supply a malicious XSPF playlist containing XML numeric character references that resolve to CR/LF bytes. These injected bytes are then written into URI fields and ultimately appear as forged key‑value pairs in MPD protocol responses such as playlistinfo, currentsong, and listplaylist, as well as in the state file generated by MPD. This loss of protocol integrity can lead to information disclosure or manipulation of client behavior.

Affected Systems

All MusicPlayerDaemon MPD installations running a version earlier than 0.24.11 are affected. The patch is released in MPD 0.24.11, which removes the vulnerability by sanitizing input data in the XSPF playlist plugin.

Risk and Exploitability

The vulnerability scores a CVSS score of 6.9, reflecting moderate severity. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog. The likely attack vector requires the attacker to supply a crafted XSPF playlist to the MPD process; the exploit can be local if the attacker can influence playlist uploads or remote if the MPD server accepts playlists from untrusted network sources. Given the availability of a simple mitigated release and the potential for protocol disruption, the risk warrants timely remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MusicPlayerDaemon

MPD

affected

Version	Status	Constraints
`0`	affected	< 0.24.11

No data.

Vendor Product Confidence Versions

Musicplayerdaemon

Mpd

100%

Version	Status	Scheme	Platform
`[0,0.24.11)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade MPD to version 0.24.11 or later to eliminate the CRLF injection flaw
Restrict the source of XSPF playlists to trusted users or locations and add input validation to reject numeric character references that resolve to CR/LF bytes
If the XSPF feature is unnecessary, disable the XSPF playlist plugin to prevent the vulnerability from being exploitable

Generated by OpenCVE AI on May 28, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0026.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/MusicPlayerDaemon/MPD/commit/855085b35c67dddeef0652e2cb3ac8cdd4f457b7
https://github.com/MusicPlayerDaemon/MPD/issues/2483
https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11
https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html
https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS
https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/
https://www.vulncheck.com/advisories/music-player-daemon-crlf-injection-via-xspfplaylistplugin-cxx

History

Fri, 29 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Musicplayerdaemon Musicplayerdaemon mpd
Vendors & Products		Musicplayerdaemon Musicplayerdaemon mpd

Fri, 29 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
References		https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html

Thu, 28 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat's decoding of numeric character references prior to the character data callback.
Title		Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx
Weaknesses		CWE-93
References		https://github.com/MusicPlayerDaemon/MPD/commit/855085b35c67dddeef0652e2cb3ac8cdd4f457b7 https://github.com/MusicPlayerDaemon/MPD/issues/2483 https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11 https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/ https://www.vulncheck.com/advisories/music-player-daemon-crlf-injection-via-xspfplaylistplugin-cxx
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Musicplayerdaemon Mpd

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-05-28T19:12:42.644Z

Updated: 2026-05-29T14:59:12.765Z

Reserved: 2026-05-27T17:40:12.738Z

Link: CVE-2026-49130

Vulnrichment

Updated: 2026-05-29T14:59:04.095Z

NVD

Status : Deferred

Published: 2026-05-28T20:16:26.823

Modified: 2026-05-29T14:07:47.980

Link: CVE-2026-49130

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T15:47:52Z

Weaknesses

CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object