CVE-2026-49130
MEDIUM
6,9
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM
5,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: none
Description
AI Translation Available
Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat's decoding of numeric character references prior to the character data callback.
93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
DraftCommon Consequences
Security Scopes Affected:
Integrity
Potential Impacts:
Modify Application Data
Applicable Platforms
All platforms may be affected
https://github.com/MusicPlayerDaemon/MPD/commit/855085b35c67dddeef0652e2cb3ac8c…
https://github.com/MusicPlayerDaemon/MPD/issues/2483
https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11
https://mstreet97.github.io/security-research/opensource/vulnerability-disclosu…
https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS
https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/
https://www.vulncheck.com/advisories/music-player-daemon-crlf-injection-via-xsp…