CVE-2026-48559

Vulnerability

Lightweight Music Server (LMS) through version 3.76.0 contains a stored cross-site scripting (XSS) vulnerability located in src/lms/ui/Utils.cpp. The application fails to sanitize media file metadata tags, such as GENRE, ARTIST, or ALBUM, before rendering them in the web interface. This occurs because the application uses Wt::TextFormat::UnsafeXHTML when processing these tags, allowing arbitrary HTML and JavaScript to be injected into the UI [1], [3], [4].

Exploitation

An attacker needs to introduce a crafted media file containing malicious metadata into a directory scanned by the LMS library. This can be achieved using tools like metaflac to set the tag values to include an XSS payload [3]. Once the file is placed in the library, the attacker must trigger a library scan or cause the victim to view the file's information. When the web interface processes the metadata, the injected JavaScript executes automatically in the context of the victim's authenticated browser session [3], [4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript within the victim's browser session. This can lead to unauthorized actions performed on behalf of the user, potential session hijacking, or the theft of sensitive information displayed within the LMS web interface [1], [4].

Mitigation

As of the current disclosure, no specific patch version has been released to address this vulnerability. Users are advised to monitor the official repository for updates and avoid scanning media files from untrusted sources [2], [3].