CVE-2026-49130
Deferred Deferred - Pending Action
CRLF Injection in Music Player Daemon XSPF Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: VulnCheck

Description
Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat's decoding of numeric character references prior to the character data callback.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-18
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-16
NVD
CVE-2026-49130
EUVD
EUVD-2026-33006
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
music_player_daemon mpd to 0.24.11 (exc)
musicplayerdaemon mpd to 0.24.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Music Player Daemon (MPD) allows attackers to inject forged key-value lines into protocol responses and state files by exploiting CRLF injection in URI fields. This can lead to client confusion, protocol poisoning, and potentially stored cross-site scripting (XSS) in web clients if the injected data is rendered without proper escaping.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to inject malicious data and potentially manipulate client behavior or stored data could pose risks related to data integrity and security controls required by such regulations.

Specifically, if MPD is used in environments handling sensitive or personal data, this vulnerability could undermine the confidentiality and integrity of that data, which are key principles in regulations like GDPR and HIPAA. However, no direct linkage or impact on compliance is detailed in the provided information.

Executive Summary

CVE-2026-49130 is a CRLF injection vulnerability in Music Player Daemon (MPD) versions before 0.24.11. It occurs in the xspf_char_data function of the XSPF playlist plugin, where attackers can embed literal carriage return (CR) and line feed (LF) characters into URI fields by supplying a malicious XSPF playlist containing XML numeric character references.

Because the XML parser Expat decodes these numeric character references before the character data callback, the injected CR/LF bytes are interpreted as actual newlines. These newlines are not filtered out when processing URIs, allowing attackers to inject forged key-value lines into MPD protocol responses such as playlistinfo, currentsong, and listplaylist outputs, as well as into the state file writer.

This injection can cause client confusion, protocol poisoning, and potentially enable stored cross-site scripting (XSS) in web clients if the injected data is rendered without proper escaping.

Impact Analysis

This vulnerability can impact users by allowing attackers to inject forged metadata into MPD protocol responses, which can confuse clients or poison downstream systems that rely on MPD data.

  • Clients may display incorrect or malicious information due to forged key-value pairs injected into playlist entries.
  • Web clients that render MPD data without proper escaping may be vulnerable to stored cross-site scripting (XSS) attacks.
  • The protocol desynchronization caused by injected newlines can disrupt normal operation and communication with MPD.

Overall, the vulnerability can lead to misinformation, security risks in client applications, and potential exploitation in web environments.

Detection Guidance

This vulnerability can be detected by monitoring MPD protocol responses such as playlistinfo, currentsong, and listplaylist outputs for unexpected or forged key-value lines that indicate CRLF injection.

Specifically, look for protocol response lines that contain suspicious or malformed entries injected via the <location> URI field, such as unexpected keys like 'file: pwned-by-xspf-injection', 'Time: 1', 'Id: 9999', or 'Title: pwned'.

Commands to detect this might include querying MPD with commands like `playlistinfo`, `currentsong`, or `listplaylist` and inspecting the output for injected lines or anomalies.

  • Run `mpc playlistinfo` or connect to MPD and issue the `playlistinfo` command to check for unexpected multi-line entries.
  • Use `mpc currentsong` to see if the current song metadata contains injected lines.
  • Inspect MPD state files or logs for unusual key-value pairs that do not correspond to legitimate metadata.
Mitigation Strategies

The primary mitigation is to upgrade Music Player Daemon (MPD) to version 0.24.11 or later, where this vulnerability has been patched.

The patch includes validation of URIs in playlist plugins to reject URIs containing newline characters, preventing CRLF injection.

Until an upgrade is possible, avoid loading untrusted or malicious XSPF playlists that could exploit this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49130. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart