← Advisories

Lightweight Music Server (LMS) 3.76.0 (metadata) Stored XSS

High

Advisory ID

ZSL-2026-5987

Release Date

31 May 2026

Vendor

Emeric Poupon - https://github.com/epoupon/lms

Affected Version

3.76.0

CVE

CVE-2026-48559

Tested On

GNU/Linux (ARM64), nginx

Summary

LMS (Lightweight Music Server): A specific C++ based project focused on a low memory footprint, featuring built-in user management and a recommendation engine.

Description

LMS stores media file metadata tags (such as GENRE, ARTIST, and ALBUM) exactly as written in the file and later renders them in its web interface without HTML-encoding, resulting in stored cross-site scripting. An attacker who gets a file with a malicious tag into the victim's library has their payload saved during the next library scan and executed automatically whenever a user views that track's information or plays the file in the web UI.

/src/lms/ui/Utils.cpp
---------------------
std::unique_ptr<Wt::WInteractWidget> createFilter(const Wt::WString& name, const Wt::WString& tooltip, std::string_view colorStyleClass, bool canDelete)
{
  auto res{ std::make_unique<Wt::WText>(Wt::WString{ canDelete ? "<i class=\"fa fa-times-circle\"></i> " : "" } + name, Wt::TextFormat::UnsafeXHTML) };
  res->setStyleClass("Lms-badge-cluster badge me-1 " + std::string{ colorStyleClass });
  res->setInline(true);
  return res;
}

Proof of Concept

lms_xss.txtTXT

evil.flacRAR

Disclosure Timeline

27.05.2026Vulnerability discovered.

31.05.2026Opened a new ticket (#844) on Github.

31.05.2026Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.cve.org/CVERecord?id=CVE-2026-48559

[2]https://www.vulncheck.com/advisories/lightweight-music-server-stored-xss-via-media-file-metadata-tags