PatchSiren cyber security CVE debrief

CVE-2026-10108 hanxi CVE debrief

A path traversal vulnerability in xiaomusic v0.5.7 allows unauthenticated remote attackers to read arbitrary files from the server. The flaw exists in the GET /music/{file_path:path} endpoint, where an incomplete path prefix check fails to enforce directory boundaries. The comparison logic omits a trailing path separator when validating that requested files reside within the intended music directory. Attackers can exploit this by crafting traversal sequences that reach sibling directories sharing the music_path prefix, bypassing the restriction entirely. This is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) weakness. The vulnerability is network-exploitable without authentication, resulting in high confidentiality impact. The CVSS 4.0 vector indicates attack complexity is low, with no required privileges or user interaction. The issue was disclosed on 2026-05-29 with NVD status currently Deferred. A fix commit and security advisory are available from the disclosure source.

Vendor: hanxi
Product: xiaomusic
CVSS: HIGH 8.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-29
Original CVE updated: 2026-05-29
Advisory published: 2026-05-29
Advisory updated: 2026-05-29

Who should care

Organizations running xiaomusic v0.5.7 or earlier versions for media serving; security teams monitoring for path traversal vulnerabilities in Python-based web applications; incident responders investigating potential unauthorized file access in music server deployments

Technical summary

The xiaomusic application v0.5.7 implements a music file serving endpoint at GET /music/{file_path:path} that attempts to restrict file access to a configured music directory. The path validation logic performs a prefix check using the music_path configuration value but fails to append a trailing directory separator before comparison. This omission allows attackers to specify traversal sequences that escape the intended directory while still satisfying the prefix match, provided the target directory shares the music_path prefix as a sibling. The vulnerability is exploitable without authentication, enabling arbitrary file read from the server filesystem. The CVSS 4.0 score of 8.7 reflects high confidentiality impact with low attack complexity and no required privileges or user interaction.

Defensive priority

HIGH

Recommended defensive actions

Upgrade xiaomusic to a version containing commit 88404da7a283f2c0a796a4cd16bbb6e6aa1f4722 or later
If immediate patching is not possible, restrict network access to the xiaomusic service to trusted hosts only
Review application logs for suspicious file access patterns targeting the /music/ endpoint with path traversal sequences
Implement additional path validation at the reverse proxy or WAF layer to block traversal attempts
Monitor for unauthorized file access indicators in sibling directories of the configured music_path

Evidence notes

Vulnerability description and technical details sourced from NVD record with Vulncheck disclosure references. CVSS 4.0 vector and CWE-22 classification confirmed in source metadata. Fix commit, issue tracker reference, and vendor advisory linked through official disclosure channels. Vendor identification marked low confidence due to 'Unknown Vendor' classification in source; product attribution to xiaomusic project based on repository references.

Official resources

2026-05-29T18:16:31.310Z