CVE-2026-23877

Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3	Patch
https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:swingmx:swing_music:*:*:*:*:*:*:*:*

History

13 Mar 2026, 14:42

Type	Values Removed	Values Added
Summary		(es) Swing Music es un reproductor de música autoalojado para archivos de audio locales. Antes de la versión 2.1.4, la función `list_folders()` de Swing Music en el endpoint `/folder/dir-browser` es vulnerable a ataques de salto de directorio. Cualquier usuario autenticado (incluidos los no administradores) puede navegar por directorios arbitrarios en el sistema de archivos del servidor. La versión 2.1.4 soluciona el problema.
CPE		cpe:2.3:a:swingmx:swing_music::::::::
First Time		Swingmx Swingmx swing Music
References	~~() https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3 -~~	() https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3 - Patch
References	~~() https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh -~~	() https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3

19 Jan 2026, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-19 21:15

Updated : 2026-03-13 14:42

NVD link : CVE-2026-23877

Mitre link : CVE-2026-23877

CVE.ORG link : CVE-2026-23877

JSON object : View

Products Affected

swingmx

swing_music

CWE

CWE-25

Path Traversal: '/../filedir'

CWE-284

Improper Access Control

{"id": "CVE-2026-23877", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-19T21:15:52.147", "references": [{"url": "https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-25"}, {"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue."}, {"lang": "es", "value": "Swing Music es un reproductor de m\u00fasica autoalojado para archivos de audio locales. Antes de la versi\u00f3n 2.1.4, la funci\u00f3n `list_folders()` de Swing Music en el endpoint `/folder/dir-browser` es vulnerable a ataques de salto de directorio. Cualquier usuario autenticado (incluidos los no administradores) puede navegar por directorios arbitrarios en el sistema de archivos del servidor. La versi\u00f3n 2.1.4 soluciona el problema."}], "lastModified": "2026-03-13T14:42:23.030", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:swingmx:swing_music:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6C617A2-90C7-409F-9D71-B31879D6A3BD", "versionEndExcluding": "2.1.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}