PYSEC-2026-3429

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/xiaomusic/PYSEC-2026-3429.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-3429
Aliases
Published
2026-07-13T15:19:14.099607Z
Modified
2026-07-13T16:33:27.875002678Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
xiaomusic contains an unauthenticated path traversal vulnerability
Details

xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{filepath:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from sibling directories whose names share the musicpath prefix by crafting traversal sequences, bypassing the path restriction due to the missing trailing separator in the comparison logic to retrieve arbitrary files from the server.

References

Affected packages

PyPI / xiaomusic

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.5.8

Affected versions

0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.20
0.1.21
0.1.22
0.1.23
0.1.24
0.1.25
0.1.26
0.1.27
0.1.28
0.1.29
0.1.30
0.1.31
0.1.32
0.1.33
0.1.34
0.1.35
0.1.36
0.1.37
0.1.38
0.1.39
0.1.40
0.1.41
0.1.43
0.1.44
0.1.45
0.1.46
0.1.47
0.1.48
0.1.49
0.1.51
0.1.52
0.1.53
0.1.54
0.1.55
0.1.56
0.1.57
0.1.58
0.1.59
0.1.60
0.1.61
0.1.62
0.1.63
0.1.64
0.1.65
0.1.66
0.1.67
0.1.68
0.1.69
0.1.70
0.1.71
0.1.72
0.1.73
0.1.74
0.1.75
0.1.76
0.1.77
0.1.78
0.1.79
0.1.80
0.1.81
0.1.82
0.1.83
0.1.84
0.1.85
0.1.86
0.1.87
0.1.88
0.1.89
0.1.90
0.1.91
0.1.92
0.1.93
0.1.94
0.1.95
0.1.96
0.1.97
0.1.98
0.1.99
0.1.100
0.1.101
0.2.0
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.3.11
0.3.12
0.3.13
0.3.14
0.3.15
0.3.16
0.3.17
0.3.18
0.3.19
0.3.20
0.3.21
0.3.22
0.3.23
0.3.24
0.3.25
0.3.26
0.3.27
0.3.28
0.3.29
0.3.30
0.3.31
0.3.32
0.3.33
0.3.34
0.3.35
0.3.36
0.3.37
0.3.38
0.3.39
0.3.40
0.3.41
0.3.42
0.3.43
0.3.44
0.3.45
0.3.46
0.3.47
0.3.48
0.3.49
0.3.50
0.3.51
0.3.52
0.3.53
0.3.54
0.3.55
0.3.56
0.3.57
0.3.58
0.3.60
0.3.61
0.3.62
0.3.63
0.3.64
0.3.65
0.3.66
0.3.67
0.3.68
0.3.69
0.3.70
0.3.71
0.3.72
0.3.73
0.3.74
0.3.75
0.3.76
0.3.77
0.3.78
0.3.79
0.3.80
0.3.81
0.3.82
0.3.83
0.3.84
0.3.85
0.3.86
0.3.87
0.3.88
0.3.89
0.3.90
0.3.91
0.3.98
0.3.99
0.3.100
0.3.101
0.3.102
0.4.0
0.4.1
0.4.2
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.4.11
0.4.12
0.4.13
0.4.14
0.4.15
0.4.16
0.4.17
0.4.18
0.4.19
0.4.20
0.4.21
0.4.22
0.4.23
0.4.24
0.4.25
0.4.26
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/xiaomusic/PYSEC-2026-3429.yaml"