CVE-2026-23877
📋 TL;DR
Swing Music versions before 2.1.4 contain a directory traversal vulnerability in the list_folders() function. Authenticated users (including non-admins) can access arbitrary directories on the server filesystem. This affects all deployments running vulnerable versions of Swing Music.
💻 Affected Systems
- Swing Music
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files (passwords, SSH keys, configuration files), potentially leading to full server compromise.
Likely Case
Unauthorized access to music libraries, configuration files, and other application data stored on the server.
If Mitigated
Limited to accessing only intended music directories with proper input validation.
🎯 Exploit Status
Directory traversal attacks are well-understood and easy to execute with basic web testing tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.4
Vendor Advisory: https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh
Restart Required: Yes
Instructions:
1. Stop Swing Music service. 2. Update to version 2.1.4 via package manager or manual installation. 3. Restart the service.
🔧 Temporary Workarounds
Restrict User Access
allLimit authenticated user accounts to trusted individuals only
Network Segmentation
allRestrict network access to Swing Music to trusted networks only
🧯 If You Can't Patch
- Implement strict file system permissions to limit Swing Music's access to only necessary directories
- Deploy a web application firewall (WAF) with directory traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Check if Swing Music version is below 2.1.4. Test authenticated access to /folder/dir-browser endpoint with directory traversal payloads.Check Version:
Check package manager or application logs for version informationVerify Fix Applied:
Confirm version is 2.1.4 or higher. Test that directory traversal attempts now return proper error messages.📡 Detection & Monitoring
Log Indicators:
- Unusual directory paths in /folder/dir-browser endpoint requests
- Multiple failed attempts to access parent directories
Network Indicators:
- HTTP requests containing '../' patterns to the vulnerable endpoint
SIEM Query:
source="swingmusic" AND (url="*/folder/dir-browser*" AND (url="*../*" OR url="*..\\*"))