{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23877", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T21:02:02.900Z", "datePublished": "2026-01-19T20:52:00.516Z", "dateUpdated": "2026-01-20T15:20:58.996Z"}, "containers": {"cna": {"title": "Directory Traversal & Filesystem can be accessed by a non-admin user", "problemTypes": [{"descriptions": [{"cweId": "CWE-25", "lang": "en", "description": "CWE-25: Path Traversal: '/../filedir'", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh"}, {"name": "https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3", "tags": ["x_refsource_MISC"], "url": "https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3"}], "affected": [{"vendor": "swingmx", "product": "swingmusic", "versions": [{"version": "< 2.1.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T20:52:00.516Z"}, "descriptions": [{"lang": "en", "value": "Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue."}], "source": {"advisory": "GHSA-pj88-9xww-gxmh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T15:12:47.007353Z", "id": "CVE-2026-23877", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:20:58.996Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23877", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T15:12:47.007353Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:13:49.972Z"}}], "cna": {"title": "Directory Traversal & Filesystem can be accessed by a non-admin user", "source": {"advisory": "GHSA-pj88-9xww-gxmh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "swingmx", "product": "swingmusic", "versions": [{"status": "affected", "version": "< 2.1.4"}]}], "references": [{"url": "https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh", "name": "https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3", "name": "https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-25", "description": "CWE-25: Path Traversal: '/../filedir'"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T20:52:00.516Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23877", "state": "PUBLISHED", "dateUpdated": "2026-01-20T15:20:58.996Z", "dateReserved": "2026-01-16T21:02:02.900Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T20:52:00.516Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:swingmx:swing_music:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6C617A2-90C7-409F-9D71-B31879D6A3BD", "versionEndExcluding": "2.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue."}, {"lang": "es", "value": "Swing Music es un reproductor de m\u00fasica autoalojado para archivos de audio locales. Antes de la versi\u00f3n 2.1.4, la funci\u00f3n `list_folders()` de Swing Music en el endpoint `/folder/dir-browser` es vulnerable a ataques de salto de directorio. Cualquier usuario autenticado (incluidos los no administradores) puede navegar por directorios arbitrarios en el sistema de archivos del servidor. La versi\u00f3n 2.1.4 soluciona el problema."}], "id": "CVE-2026-23877", "lastModified": "2026-03-13T14:42:23.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-19T21:15:52.147", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-25"}, {"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:48:39.665438+00:00", "value": {"mitigation_remediation": ["Upgrade Swing Music to version 2.1.4 or newer to eliminate the directory traversal vulnerability.", "If upgrading is not immediately possible, restrict the /folder/dir-browser endpoint to only authorized directories or disable it entirely for authenticated users lacking appropriate permissions.", "Implement input validation for the path parameter in list_folders() to reject traversal sequences such as \"..\" or leading slashes.", "Monitor authentication and directory access logs for anomalous traversal attempts and investigate any suspicious activity."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected software is Swing Music, a self-hosted music player maintained by swingmx. All versions prior to 2.1.4 are vulnerable; the fix was introduced in 2.1.4. Thus any deployment running Swing Music version 2.1.3 or earlier is at risk.\n", "description_and_impact": "Swing Music\u2019s /folder/dir-browser endpoint contains a directory traversal flaw in the list_folders() function that allows any authenticated user\u2014including those without admin privileges\u2014to enumerate and retrieve files from arbitrary directories on the server. This vulnerability is a classic path traversal (CWE\u201125) coupled with an improper authorization mechanism (CWE\u2011284), enabling the disclosure of sensitive data that may include system files or other private host content. The ability to read arbitrary paths without needing elevated rights means the attack can be launched by a normal user account, potentially exposing confidential or proprietary information.\n", "risk_and_exploitability": "The CVSS v3.1 base score of 5.3 rates this issue as moderately severe. The EPSS score of less than 1\u202f% indicates a low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authentication but does not rely on excessive privileges, it is likely to be exercised by any user who gains valid credentials to the application. No known remote code execution vector is indicated, so the primary risk remains confidential data exposure.\n"}}}}, "created": "2026-01-20T08:40:24.344159+00:00", "updated": "2026-04-18T16:00:04.280379+00:00", "vendors": ["swingmx", "swingmx$PRODUCT$swingmusic"]}