Swing Music: From Playlist to Password File via CVE-2026-23877
Jan 21, 2026·6 min read·4 visits
Executive Summary (TL;DR)
Swing Music versions prior to 2.1.4 fail to sanitize file paths in the `list_folders` API. This allows any logged-in user—even those without admin rights—to traverse out of the music directory using `../../` sequences and list the contents of arbitrary system folders. The fix implements strict path resolution and boundary checks.
A classic directory traversal vulnerability in the Swing Music player allows any authenticated user to escape the music library sandbox and browse the host server's entire filesystem.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Swing Music swingmx | < 2.1.4 | 2.1.4 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) |
| CVSS v4.0 | 5.3 (Medium) |
| Attack Vector | Network (Authenticated) |
| Impact | Information Disclosure / Filesystem Enumeration |
| Patch Commit | 9a915ca62af1502b9550722df82f5d432cb73de3 |
| EPSS Score | 0.00200 (Low Probability) |
MITRE ATT&CK Mapping
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.