PatchSiren cyber security CVE debrief

CVE-2026-49130 MusicPlayerDaemon CVE debrief

Music Player Daemon (MPD) versions prior to 0.24.11 contain a CRLF injection vulnerability in the XSPF playlist plugin. The flaw resides in the xspf_char_data function, which fails to sanitize XML numeric character references (NCRs) for carriage return (CR) and line feed (LF) bytes before passing decoded character data into URI fields. Attackers can craft malicious XSPF playlist files containing NCRs (e.g.,  for CR, 
 for LF) that Expat decodes during XML parsing, injecting literal newline characters into the location field. This injection propagates into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer. The vulnerability enables response splitting and potential cache poisoning or client-side parsing confusion, though integrity impact is limited per CVSS 4.0 scoring. The issue was disclosed on 2026-05-28 and patched in MPD 0.24.11 released the same day.

Vendor: MusicPlayerDaemon
Product: MPD
CVSS: MEDIUM 6.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-28
Original CVE updated: 2026-05-29
Advisory published: 2026-05-28
Advisory updated: 2026-05-29

Who should care

Organizations running MPD instances with XSPF playlist support, particularly those exposing MPD control interfaces to network clients or processing untrusted playlist files. Audio streaming services, internet radio infrastructure, and media server deployments using MPD for backend playback management should prioritize patching.

Technical summary

The xspf_char_data callback in MPD's XSPF playlist plugin receives character data after Expat XML parser decodes numeric character references. The function lacks validation to reject or escape decoded CR (0x0D) and LF (0x0A) bytes before appending to URI strings. Attackers embedding  and 
 NCRs in XSPF location elements achieve literal newline injection into MPD's internal song metadata. These injected bytes propagate through MPD's text-based protocol responses (playlistinfo, currentsong, listplaylist) and state file serialization, violating line-oriented protocol assumptions. The vulnerability classifies as CWE-93 (Improper Neutralization of CRLF Sequences).

Defensive priority

medium

Recommended defensive actions

Upgrade to MPD 0.24.11 or later to obtain the patched xspfplaylistplugin.cxx
Validate and sanitize XSPF playlist files from untrusted sources before loading into MPD
Monitor MPD protocol responses and state files for anomalous line breaks indicating exploitation attempts
Implement network segmentation to limit exposure of MPD control interfaces to untrusted clients
Review application logs for unexpected CRLF sequences in playlist metadata fields

Evidence notes

Vulnerability disclosed via VulnCheck advisory and independently reported through GitHub issue #2483. Patch commit 855085b35c67dddeef0652e2cb3ac8cdd4f457b7 addresses the flaw by adding sanitization in xspf_char_data. MPD 0.24.11 release notes confirm the security fix. CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N reflects network attack vector with low integrity impact.

Official resources

2026-05-28