CVE-2026-26975HIGH 8.8EPSS p69.9%

CVE-2026-26975CVE-2026-26975

Description

Music Assistant is an open-source media library manager that integrates streaming services with connected speakers. Versions 2.6.3 and below allow unauthenticated network-adjacent attackers to execute arbitrary code on affected installations. The music/playlists/update API allows users to bypass the .m3u extension enforcement and write files anywhere on the filesystem, which is exacerbated by the container running as root. This can be exploited to achieve Remote Code Execution by writing a malicious .pth file to the Python site-packages directory, which will execute arbitrary commands when Python loads. This issue has been fixed in version 2.7.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.45% probability of exploitation · percentile 69.9% · 2026-06-19T12:03:05Z
Published2026-02-20
Last modified2026-03-17

Underlying weaknesses· 3

CWE-22CWE-73CWE-434

References

  1. https://github.com/music-assistant/server/pull/2684
  2. https://github.com/music-assistant/server/releases/tag/2.7.0
  3. https://github.com/music-assistant/server/security/advisories/GHSA-7jcc-p6xr-835j

3

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live
WeaknessExternal Control of File Name or Pathcwe-730%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32399
CVE
CVE-2025-32106
CVE
CVE-2026-48559
CVE
CVE-2025-11607
CVE
CVE-2025-36937
CVE
CVE-2026-22562
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.