Stored Cross-Site Scripting Vulnerability in Lightweight Music Server by Epopon
CVE-2026-48559

5.1MEDIUM

Key Information:

Vendor: Epoupon
Status: Lms
Vendor: CVE Published:; 1 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-48559?

The Lightweight Music Server (LMS) version 3.76.0 contains a stored cross-site scripting vulnerability that enables attackers to execute arbitrary JavaScript code. This vulnerability occurs when malicious HTML is embedded in media file metadata tags, such as GENRE, ARTIST, or ALBUM. Attackers can craft a malicious media file and introduce it into the victim's library. During library scanning, this payload gets saved and executed automatically in the web interface, owing to the unsafe rendering of tag content using Wt::TextFormat::UnsafeXHTML without proper sanitization.

Affected Version(s)

lms 0 <= 3.76.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-48559 - Proof of Concept

References

https://www.zeroscience.mk/#/advisories/ZSL-2026-5987

technical-descriptionexploit

https://github.com/epoupon/lms/issues/844

https://github.com/epoupon/lms/milestone/94

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 1, 2026
👾
Exploit known to exist
Jun 1, 2026
Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 21, 2026

Credit

LiquidWorm as Gjoko Krstic of Zero Science Lab

CVE-2026-48559 Data

JSON

Epoupon

Badges

What is CVE-2026-48559?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit