HIGH
hanxi
CVE published 2026-05-29
CVE-2026-10108
A path traversal vulnerability in xiaomusic v0.5.7 allows unauthenticated remote attackers to read arbitrary files from the server. The flaw exists in the GET /music/{file_path:path} endpoint, where an incomplete path prefix check fails to enforce directory boundaries. The comparison logic omits a trailing path separator when validating that requested files reside within the intended music directory. Atta [truncated]