CVE-2026-23877

Summary

Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's list_folders() function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
swingmxswingmusic< 2.1.4affected

Weaknesses

  • CWE-25: CWE-25: Path Traversal: '/../filedir'
  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References