CVE-2026-49130— Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| MusicPlayerDaemon | MPD | < 0.24.11 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-49130
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx
Source: NVD (National Vulnerability Database)
Vulnerability Description
Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat's decoding of numeric character references prior to the character data callback.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对CRLF序列的转义处理不恰当(CRLF注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Music Player Daemon 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Music Player Daemon是Music Player Daemon开源的一款音乐播放守护进程。 Music Player Daemon 0.24.11之前版本存在安全漏洞,该漏洞源于XSPF播放列表插件中xspf_char_data函数存在CRLF注入问题,允许攻击者通过提供恶意XSPF播放列表嵌入文字CR/LF字节,利用Expat对数字字符引用的解码,通过location字段向MPD协议响应注入伪造键值行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| MusicPlayerDaemon | MPD | 0 ~ 0.24.11 | - |
II. Public POCs for CVE-2026-49130
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-49130
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-49130 (2)
Vendor Advisories for CVE-2026-49130 (1)
Vendor Pages for CVE-2026-49130 (2)
- 🔗 Release v0.24.11 · MusicPlayerDaemon/MPD · GitHubrelease-notes
Same Patch Batch · MusicPlayerDaemon · 2026-05-28 · 4 CVEs total
| CVE-2026-49127 | 8.6 HIGH | Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be |
| CVE-2026-49128 | 7.5 HIGH | Music Player Daemon < 0.24.11 Path Traversal via LocalStorage URI Handling |
| CVE-2026-49129 | 5.8 MEDIUM | Music Player Daemon < 0.24.11 SSRF via CurlInputPlugin |
IV. Related Vulnerabilities
Same weakness: CWE-93
- CVE-2026-45372
cpp-httplib: HTTP header value percent-decoding in server-si - CVE-2026-46740
Mojolicious::Plugin::Statsd versions through 0.04 for Perl a - CVE-2026-44214
eventsource-encoder: SSE event injection via unsanitized eve - CVE-2026-47072
CRLF injection in WebSocket upgrade request in hackney - CVE-2026-47075
CR/LF injection in query parameter in hackney
V. Comments for CVE-2026-49130
No comments yet