Medium severityGHSA Advisory· Published May 4, 2026· Updated May 5, 2026
CVE-2026-42052
CVE-2026-42052
Description
Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
beetsPyPI | < 2.10.0 | 2.10.0 |
Affected products
3- ghsa-coords2 versions
< 2.10.0+ 1 more
- (no CPE)range: < 2.10.0
- (no CPE)range: < 2.11.0-1.1
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.