MEDIUM 5.4

CVE-2026-48559: Lightweight Music Server Stored XSS in Media Metadata

Lightweight Music Server (LMS) version 3.76.0 and earlier contains a stored cross-site scripting (XSS) vulnerability in how it handles media file metadata. An attacker can craft a malicious media file with embedded JavaScript in tags like GENRE, ARTIST, or ALBUM, then introduce it into a victim's music library. When the library is scanned, the payload is permanently stored and automatically executes in the web interface whenever that file's metadata is displayed, potentially allowing unauthorized actions on behalf of the logged-in user.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Lightweight Music Server (LMS) though 3.76.0 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript by embedding malicious HTML in media file metadata tags such as GENRE, ARTIST, or ALBUM. Attackers can introduce a crafted media file into the victim's library, causing the payload to be saved during library scanning and executed automatically in the web interface due to tag content being rendered using Wt::TextFormat::UnsafeXHTML without sanitization in src/lms/ui/Utils.cpp.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in src/lms/ui/Utils.cpp where media metadata tags are rendered using Wt::TextFormat::UnsafeXHTML without input sanitization. This allows attackers to inject arbitrary HTML and JavaScript into GENRE, ARTIST, ALBUM, and potentially other metadata fields. During library scanning, malicious content is persisted in the application state. Subsequent rendering of the metadata in the web UI executes the stored payload in the context of authenticated sessions. The attack requires an authenticated user to interact with the compromised library, but the payload triggers automatically upon viewing affected metadata.

Business impact

Organizations running Lightweight Music Server as part of their media infrastructure face session hijacking, data theft, and malicious actions performed on behalf of legitimate users. An attacker could exfiltrate user credentials, modify library contents, or pivot to connected systems. While the CVSS score reflects medium severity, the stored nature of the payload means repeated exposure across all users who access the library, and compromise of shared music repositories could affect multiple team members simultaneously.

Affected systems

Lightweight Music Server through version 3.76.0 is affected. The vulnerability applies to all instances where authentication is configured and users access the web interface. No vendor-specific product variants are documented in this advisory; however, organizations should verify their exact deployment version and any vendor-provided patches or hardened builds against the official LMS advisory.

Exploitability

Exploitation requires authentication and social engineering to introduce a malicious media file into the target library. The attacker cannot remotely inject files without library access; however, once a crafted file is present, the payload executes automatically to any authenticated user viewing that metadata. The attack is reliable and reproducible, with no additional user interaction beyond normal library browsing needed to trigger execution. Public proof-of-concept code has not been confirmed in circulation as of the advisory date.

Remediation

Patch Lightweight Music Server to a version that sanitizes metadata output. Verify the specific patched version with the vendor advisory, as version numbers may vary by distribution channel. Until patching is feasible, restrict library scanning to trusted media sources, disable metadata editing by untrusted users, and review library contents for suspicious tags. Consider isolating LMS instances from sensitive network segments and enforcing Content Security Policy headers where possible to limit XSS payload impact.

Patch guidance

Consult the official Lightweight Music Server advisory and release notes to identify the patched version that addresses CVE-2026-48559. Apply the update through your standard patch management process, verify the fix is in place by confirming the version number post-update, and test library functionality in a non-production environment if feasible. Document the update for compliance records. If patches are delayed, implement compensating controls such as read-only library mode and restricted user permissions.

Detection guidance

Monitor LMS access logs and web server logs for unusual patterns in metadata viewing or library scanning activity. Search media metadata stored in the LMS database or configuration files for HTML tags, script tags, or event handler attributes in GENRE, ARTIST, ALBUM fields and other metadata locations. Enable verbose logging in the LMS application if available. Network detection should flag attempts to exfiltrate session cookies or perform unusual API calls from LMS processes. Endpoint monitoring for unexpected JavaScript execution from browser processes accessing LMS should be reviewed.

Why prioritize this

Although assigned CVSS 5.4 (Medium), this vulnerability should be prioritized for patching because it is a stored XSS affecting authenticated users in a shared media platform. The persistent nature means repeated exposure across all library users, and compromise of centralized music repositories can affect multiple team members. Organizations with shared LMS deployments should patch promptly; isolated single-user instances pose lower immediate risk but should still be updated in regular maintenance cycles.

Risk score, explained

The CVSS 3.1 score of 5.4 reflects: (1) Network-accessible attack vector; (2) Low attack complexity—no special conditions required once a malicious file is present; (3) Low privileges required—authentication is needed, limiting exposure; (4) User interaction required—the authenticated user must view the compromised metadata; (5) Changed scope—the XSS can affect other users and potentially the application context; (6) Low confidentiality and integrity impact to user session data and library state. The score does not account for the stored persistence of the payload, which elevates practical risk beyond the numerical score.

Frequently asked questions

Can an unauthenticated attacker trigger this vulnerability?

No. The attacker must either have valid credentials to upload media files to the library or persuade a legitimate user to add a crafted media file. However, once the payload is stored, any authenticated user accessing that metadata will trigger execution.

What happens if an attacker successfully exploits this vulnerability?

The attacker can execute arbitrary JavaScript in the victim's browser session, potentially stealing session tokens, modifying library contents, performing actions as the authenticated user, or redirecting to malicious sites. The scope of damage depends on the LMS user's permissions and the sensitivity of data accessible through that session.

Does patching Lightweight Music Server immediately remove the threat?

Patching stops new exploitation vectors, but you should also audit your library for any suspicious media files with HTML or script tags in metadata fields. Existing malicious payloads in the database will continue to execute until those files are removed or their metadata is sanitized.

Are there workarounds if I cannot patch immediately?

Yes. Implement read-only library access for untrusted users, disable metadata editing, restrict library scanning to known-safe media sources, and monitor for unusual XSS indicators in logs. However, these are temporary measures and patching should remain a priority.

This analysis is based on publicly disclosed vulnerability data as of June 2026. Patch version numbers and exact remediation steps should be verified against the official Lightweight Music Server advisory and vendor documentation. Organizations should test patches in non-production environments before broad deployment. This information is provided for informational purposes and should not be construed as legal advice or a substitute for professional security assessment. Severity and risk may vary based on specific deployment configurations and organizational context. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).