VYPR
Vendor

Musicplayerdaemon

Products
2
CVEs
9
Across products
9
Status
Private

Products

2

Recent CVEs

9
  • CVE-2026-49127HigMay 28, 2026
    risk 0.49cvss 8.6epss 0.01

    Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin.…

  • CVE-2022-48363HigFeb 26, 2023
    risk 0.49cvss 7.5epss 0.01

    In MPD before 0.23.8, as used on Automotive Grade Linux and other platforms, the PipeWire output plugin mishandles a Drain call in certain situations involving truncated files. Eventually there is an assertion failure in libmpdclient because libqtappfw passes in a NULL pointer.

  • CVE-2018-9240HigApr 3, 2018
    risk 0.49cvss 7.5epss 0.02

    ncmpc through 0.29 is prone to a NULL pointer dereference flaw. If a user uses the chat screen and another client sends a long chat message, a crash and denial of service could occur.

  • CVE-2026-49128HigMay 28, 2026
    risk 0.42cvss 7.5epss 0.01

    Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain…

  • CVE-2026-49129MedMay 28, 2026
    risk 0.31cvss 5.8epss 0.00

    Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allowing unauthenticated attackers to bypass the http/https scheme restriction by…

  • CVE-2026-49130MedMay 28, 2026
    risk 0.27cvss 5.3epss 0.00

    Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric…

  • CVE-2022-46449Jan 10, 2023
    risk 0.00cvss epss 0.01

    An issue in MPD (Music Player Daemon) v0.23.10 allows attackers to cause a Denial of Service (DoS) via a crafted input.

  • CVE-2020-7466Oct 6, 2020
    risk 0.00cvss epss 0.02

    The PPP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted PPP authentication message to cause the daemon to read beyond allocated memory buffer, which would result in a denial of service condition.

  • CVE-2020-7465Oct 6, 2020
    risk 0.00cvss epss 0.03

    The L2TP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted L2TP control packet with AVP Q.931 Cause Code to execute arbitrary code or cause a denial of service (memory corruption).