Music Player Daemon (MPD) versions prior to 0.24.11 contain a CRLF injection vulnerability in the XSPF playlist plugin. The flaw resides in the xspf_char_data function, which fails to sanitize XML numeric character references (NCRs) for carriage return (CR) and line feed (LF) bytes before passing decoded character data into URI fields. Attackers can craft malicious XSPF playlist files containing NCRs (e.g [truncated]
CVE-2026-49129 is a server-side request forgery (SSRF) vulnerability in Music Player Daemon (MPD) versions prior to 0.24.11. The vulnerability exists in the CurlInputPlugin component where CURLOPT_FOLLOWLOCATION is enabled without restricting CURLOPT_REDIR_PROTOCOLS_STR, allowing HTTP redirects to non-HTTP protocols including gopher, ftp, sftp, ldap, dict, rtmp, and rtsp. This bypasses the intended http/h [truncated]
Music Player Daemon (MPD) versions prior to 0.24.11 contain a path traversal vulnerability in the local storage plugin. The flaw exists in `LocalStorage::MapFSOrThrow` and `LocalStorage::MapUTF8`, where user-supplied URIs are concatenated with the storage root without canonicalization, allowing `..` segments to persist into the resolved path. An unauthenticated attacker can exploit this via the `listfiles [truncated]
A stack buffer overflow vulnerability exists in Music Player Daemon (MPD) versions prior to 0.24.11. The flaw resides in the `pcm_unpack_24be` function within `src/pcm/Pack.cxx`, where an off-by-one write condition allows 1366 entries to be written into a 1365-entry buffer. Unauthenticated attackers can exploit this by issuing two MPD commands that reference a malicious HTTP audio source, causing the PCM [truncated]
