QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-10108

Back to search

CVE-2026-10108

Published: May 29, 2026

Modified: Jun 1, 2026

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from sibling directories whose names share the music_path prefix by crafting traversal sequences, bypassing the path restriction due to the missing trailing separator in the comparison logic to retrieve arbitrary files from the server.

VendorProductVersions

hanxi

xiaomusic

affected
0 - <= 0.5.7
affected
0 - <= 88404da7a283f2c0a796a4cd16bbb6e6aa1f4722

Weaknesses (CWE)

CWE-22

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

GitHub Issue
issue-tracking
Pull Request
technical-description
Release Notes
third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now