CVE-2026-49130
CRLF Injection in Music Player Daemon XSPF Plugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| music_player_daemon | mpd | to 0.24.11 (exc) |
| musicplayerdaemon | mpd | to 0.24.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-49130 is a CRLF injection vulnerability in Music Player Daemon (MPD) versions before 0.24.11. It occurs in the xspf_char_data function of the XSPF playlist plugin, where attackers can embed literal carriage return (CR) and line feed (LF) characters into URI fields by supplying a malicious XSPF playlist containing XML numeric character references.
Because the XML parser Expat decodes these numeric character references before the character data callback, the injected CR/LF bytes are interpreted as actual newlines. These newlines are not filtered out when processing URIs, allowing attackers to inject forged key-value lines into MPD protocol responses such as playlistinfo, currentsong, and listplaylist outputs, as well as into the state file writer.
This injection can cause client confusion, protocol poisoning, and potentially enable stored cross-site scripting (XSS) in web clients if the injected data is rendered without proper escaping.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to inject forged metadata into MPD protocol responses, which can confuse clients or poison downstream systems that rely on MPD data.
- Clients may display incorrect or malicious information due to forged key-value pairs injected into playlist entries.
- Web clients that render MPD data without proper escaping may be vulnerable to stored cross-site scripting (XSS) attacks.
- The protocol desynchronization caused by injected newlines can disrupt normal operation and communication with MPD.
Overall, the vulnerability can lead to misinformation, security risks in client applications, and potential exploitation in web environments.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring MPD protocol responses such as playlistinfo, currentsong, and listplaylist outputs for unexpected or forged key-value lines that indicate CRLF injection.
Specifically, look for protocol response lines that contain suspicious or malformed entries injected via the <location> URI field, such as unexpected keys like 'file: pwned-by-xspf-injection', 'Time: 1', 'Id: 9999', or 'Title: pwned'.
Commands to detect this might include querying MPD with commands like `playlistinfo`, `currentsong`, or `listplaylist` and inspecting the output for injected lines or anomalies.
- Run `mpc playlistinfo` or connect to MPD and issue the `playlistinfo` command to check for unexpected multi-line entries.
- Use `mpc currentsong` to see if the current song metadata contains injected lines.
- Inspect MPD state files or logs for unusual key-value pairs that do not correspond to legitimate metadata.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Music Player Daemon (MPD) to version 0.24.11 or later, where this vulnerability has been patched.
The patch includes validation of URIs in playlist plugins to reject URIs containing newline characters, preventing CRLF injection.
Until an upgrade is possible, avoid loading untrusted or malicious XSPF playlists that could exploit this vulnerability.