CVE-2026-49129
MEDIUM
6,9
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM
5,8
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: changed
Confidentiality: low
Integrity: none
Availability: none
Description
AI Translation Available
Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP server to redirect to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp. Attackers can trigger this vulnerability via MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load, to interact with internal or restricted network services on systems running libcurl versions prior to 7.85.0.
918
Server-Side Request Forgery (SSRF)
IncompleteCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Access Control
Potential Impacts:
Read Application Data
Execute Unauthorized Code Or Commands
Bypass Protection Mechanism
Applicable Platforms
Technologies:
Web Based, AI/ML, Web Server
https://github.com/MusicPlayerDaemon/MPD/commit/78341dd6c7b101c3feede233d4cc4f8…
https://github.com/MusicPlayerDaemon/MPD/issues/2487
https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11
https://mstreet97.github.io/security-research/opensource/vulnerability-disclosu…
https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS
https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/
https://www.vulncheck.com/advisories/music-player-daemon-ssrf-via-curlinputplug…