XSS in Beetbox Beets
CVE-2026-42052
Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.001 (19.5th percentile) — read the EPSS interpretation.
Affected products
- Beetbox Beets — versions < 2.10.0
Weakness classification (CWE)
References
- https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847 (x_refsource_CONFIRM)
- https://github.com/beetbox/beets/releases/tag/v2.10.0 (x_refsource_MISC)