Vulnerability in Swingmx Swingmusic

CVE-2026-23877

Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (in…

EPSS: 0.001 (22.3th percentile) — read the EPSS interpretation.

Affected products

Swingmx Swingmusic — versions < 2.1.4

Weakness classification (CWE)

References

https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh (x_refsource_CONFIRM)
https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3 (x_refsource_MISC)