DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23877: Swing Music: From Playlist to Password File via CVE-2026-23877

#security #cve #cybersecurity

Swing Music: From Playlist to Password File via CVE-2026-23877

Vulnerability ID: CVE-2026-23877
CVSS Score: 5.3
Published: 2026-01-21

A classic directory traversal vulnerability in the Swing Music player allows any authenticated user to escape the music library sandbox and browse the host server's entire filesystem.

TL;DR

Swing Music versions prior to 2.1.4 fail to sanitize file paths in the list_folders API. This allows any logged-in user—even those without admin rights—to traverse out of the music directory using ../../ sequences and list the contents of arbitrary system folders. The fix implements strict path resolution and boundary checks.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
  • CVSS v4.0: 5.3 (Medium)
  • Attack Vector: Network (Authenticated)
  • Impact: Information Disclosure / Filesystem Enumeration
  • Patch Commit: 9a915ca62af1502b9550722df82f5d432cb73de3
  • EPSS Score: 0.00200 (Low Probability)

Affected Systems

  • Swing Music < 2.1.4
  • Swing Music: < 2.1.4 (Fixed in: 2.1.4)

Code Analysis

Commit: 9a915ca

fix: prevent directory traversal in folder routes

diff --git a/src/swingmusic/api/folder.py b/src/swingmusic/api/folder.py
index ...
+ from swingmusic.utils import is_path_within_root_dirs
+ @admin_required()
+ def list_folders(body: DirBrowserBody):
+     if not is_path_within_root_dirs(body.folder):
+         return []
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Input Validation: Ensure all file paths are canonicalized using Path.resolve().
  • Boundary Checks: Verify that resolved paths are children of approved root directories.
  • Access Control: Restrict filesystem browsing endpoints to administrative users only.

Remediation Steps:

  1. Stop the Swing Music service.
  2. Pull the latest docker image or update the source code to tag v2.1.4.
  3. Restart the service.
  4. Verify the fix by attempting to browse ../../ via the /folder/dir-browser endpoint.

References

Read the full report for CVE-2026-23877 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)