CVE-2026-10108

Source
https://cve.org/CVERecord?id=CVE-2026-10108
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10108.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-10108
Aliases
Published
2026-05-29T16:51:41.221Z
Modified
2026-07-08T08:12:22.215233874Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
xiaomusic 0.5.7 Path Traversal via GET /music endpoint
Details

xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{filepath:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from sibling directories whose names share the musicpath prefix by crafting traversal sequences, bypassing the path restriction due to the missing trailing separator in the comparison logic to retrieve arbitrary files from the server.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "last_affected": "88404da7a283f2c0a796a4cd16bbb6e6aa1f4722"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10108.json",
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/hanxi/xiaomusic

Affected ranges

Type
GIT
Repo
https://github.com/hanxi/xiaomusic
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.5.7"
        }
    ]
}

Affected versions

Other
main
test
v0.*
v0.1.1
v0.1.10
v0.1.100
v0.1.101
v0.1.11
v0.1.12
v0.1.13
v0.1.14
v0.1.15
v0.1.16
v0.1.18
v0.1.19
v0.1.2
v0.1.20
v0.1.21
v0.1.22
v0.1.23
v0.1.24
v0.1.25
v0.1.26
v0.1.27
v0.1.28
v0.1.29
v0.1.3
v0.1.30
v0.1.31
v0.1.32
v0.1.33
v0.1.34
v0.1.35
v0.1.36
v0.1.37
v0.1.38
v0.1.39
v0.1.4
v0.1.40
v0.1.41
v0.1.43
v0.1.44
v0.1.45
v0.1.46
v0.1.47
v0.1.48
v0.1.49
v0.1.5
v0.1.51
v0.1.52
v0.1.53
v0.1.54
v0.1.55
v0.1.56
v0.1.57
v0.1.58
v0.1.6
v0.1.60
v0.1.61
v0.1.62
v0.1.64
v0.1.65
v0.1.66
v0.1.67
v0.1.69
v0.1.7
v0.1.70
v0.1.71
v0.1.72
v0.1.73
v0.1.74
v0.1.75
v0.1.76
v0.1.77
v0.1.79
v0.1.8
v0.1.80
v0.1.81
v0.1.82
v0.1.83
v0.1.84
v0.1.85
v0.1.86
v0.1.87
v0.1.88
v0.1.89
v0.1.9
v0.1.90
v0.1.91
v0.1.92
v0.1.93
v0.1.94
v0.1.95
v0.1.96
v0.1.97
v0.1.98
v0.1.99
v0.2.0
v0.3.1
v0.3.10
v0.3.100
v0.3.101
v0.3.102
v0.3.11
v0.3.12
v0.3.13
v0.3.14
v0.3.15
v0.3.16
v0.3.17
v0.3.18
v0.3.19
v0.3.2
v0.3.20
v0.3.21
v0.3.22
v0.3.23
v0.3.24
v0.3.25
v0.3.26
v0.3.27
v0.3.28
v0.3.29
v0.3.3
v0.3.30
v0.3.31
v0.3.32
v0.3.33
v0.3.34
v0.3.35
v0.3.36
v0.3.37
v0.3.38
v0.3.39
v0.3.4
v0.3.40
v0.3.41
v0.3.42
v0.3.43
v0.3.44
v0.3.45
v0.3.46
v0.3.47
v0.3.48
v0.3.49
v0.3.5
v0.3.50
v0.3.51
v0.3.52
v0.3.53
v0.3.54
v0.3.55
v0.3.56
v0.3.57
v0.3.58
v0.3.59
v0.3.6
v0.3.60
v0.3.61
v0.3.62
v0.3.63
v0.3.64
v0.3.65
v0.3.66
v0.3.67
v0.3.68
v0.3.69
v0.3.7
v0.3.70
v0.3.71
v0.3.73
v0.3.74
v0.3.75
v0.3.76
v0.3.77
v0.3.78
v0.3.79
v0.3.8
v0.3.80
v0.3.81
v0.3.82
v0.3.83
v0.3.84
v0.3.85
v0.3.86
v0.3.87
v0.3.89
v0.3.9
v0.3.90
v0.3.91
v0.3.92
v0.3.93
v0.3.94
v0.3.95
v0.3.96
v0.3.97
v0.3.98
v0.3.99
v0.4.0
v0.4.1
v0.4.10
v0.4.11
v0.4.12
v0.4.13
v0.4.14
v0.4.15
v0.4.16
v0.4.17
v0.4.18
v0.4.19
v0.4.2
v0.4.20
v0.4.21
v0.4.22
v0.4.23
v0.4.24
v0.4.25
v0.4.26
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10108.json"