CVE-2026-49130

Source
https://cve.org/CVERecord?id=CVE-2026-49130
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49130.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49130
Downstream
Published
2026-05-28T19:12:42.644Z
Modified
2026-07-08T08:12:35.113511074Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx
Details

Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspfchardata function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat's decoding of numeric character references prior to the character data callback.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49130.json",
    "cwe_ids": [
        "CWE-93"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/musicplayerdaemon/mpd

Affected ranges

Type
GIT
Repo
https://github.com/musicplayerdaemon/mpd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.24.11"
        }
    ]
}

Affected versions

v0.*
v0.14
v0.14_alpha1
v0.14_alpha2
v0.14_alpha3
v0.14_beta1
v0.14_beta2
v0.14_beta3
v0.15
v0.15_alpha1
v0.15_beta1
v0.15_beta2
v0.16
v0.16_alpha1
v0.16_alpha2
v0.16_alpha3
v0.17
v0.18
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.19
v0.19.1
v0.20
v0.20.1
v0.20.2
v0.20.3
v0.21
v0.21.1
v0.21.2
v0.21.3
v0.21.4
v0.21.5
v0.22
v0.23
v0.23.1
v0.23.2
v0.23.3
v0.23.4
v0.23.5
v0.24
v0.24.1
v0.24.10
v0.24.2
v0.24.3
v0.24.4
v0.24.5
v0.24.6
v0.24.7
v0.24.8
v0.24.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49130.json"