CVE-2026-49129

Source
https://cve.org/CVERecord?id=CVE-2026-49129
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49129.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49129
Downstream
Published
2026-05-28T19:10:31.013Z
Modified
2026-07-08T08:13:39.355434539Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
Music Player Daemon < 0.24.11 SSRF via CurlInputPlugin
Details

Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPTFOLLOWLOCATION is set without CURLOPTREDIRPROTOCOLSSTR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP server to redirect to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp. Attackers can trigger this vulnerability via MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load, to interact with internal or restricted network services on systems running libcurl versions prior to 7.85.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49129.json",
    "cwe_ids": [
        "CWE-918"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/musicplayerdaemon/mpd

Affected ranges

Type
GIT
Repo
https://github.com/musicplayerdaemon/mpd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.24.11"
        }
    ]
}

Affected versions

v0.*
v0.14
v0.14_alpha1
v0.14_alpha2
v0.14_alpha3
v0.14_beta1
v0.14_beta2
v0.14_beta3
v0.15
v0.15_alpha1
v0.15_beta1
v0.15_beta2
v0.16
v0.16_alpha1
v0.16_alpha2
v0.16_alpha3
v0.17
v0.18
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.19
v0.19.1
v0.20
v0.20.1
v0.20.2
v0.20.3
v0.21
v0.21.1
v0.21.2
v0.21.3
v0.21.4
v0.21.5
v0.22
v0.23
v0.23.1
v0.23.2
v0.23.3
v0.23.4
v0.23.5
v0.24
v0.24.1
v0.24.10
v0.24.2
v0.24.3
v0.24.4
v0.24.5
v0.24.6
v0.24.7
v0.24.8
v0.24.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49129.json"