Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: mpd-small

Found 4 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-49127
8.8 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 11 hours ago by @LeSuisse Activity log
  • Created suggestion 17 hours ago
  • @LeSuisse ignored
    11 packages
    • ympd
    • mpdas
    • mympd
    • compdb
    • libmpd
    • mpdcron
    • mpdris2
    • mpd-sima
    • rofi-mpd
    • rtmpdump
    • mpd-mpris
    11 hours ago
  • @LeSuisse ignored reference https://w… 11 hours ago
  • @LeSuisse ignored
    35 packages
    • mpdecimal
    • termpdfpy
    • mopidy-mpd
    • mpdris2-rs
    • pam_tmpdir
    • mpdscribble
    • dash-mpd-cli
    • libmpdclient
    • mpd-discord-rpc
    • rtmpdump_gnutls
    • listenbrainz-mpd
    • mpd-notification
    • perlPackages.NetMPD
    • mpd-touch-screen-gui
    • perl5Packages.NetMPD
    • haskellPackages.libmpd
    • perl538Packages.NetMPD
    • perl540Packages.NetMPD
    • python312Packages.mpd2
    • python313Packages.mpd2
    • python314Packages.mpd2
    • writableTmpDirAsHomeHook
    • mopidyPackages.mopidy-mpd
    • perlPackages.FileUtilTempdir
    • perlPackages.TestTempDirTiny
    • perl5Packages.FileUtilTempdir
    • perl5Packages.TestTempDirTiny
    • perl538Packages.FileUtilTempdir
    • perl538Packages.TestTempDirTiny
    • perl540Packages.FileUtilTempdir
    • perl540Packages.TestTempDirTiny
    • haskellPackages.mpd-current-json
    • haskellPackages.compdata-fixplate
    • home-assistant-component-tests.mpd
    • chickenPackages_5.chickenEggs.mpd-client
    11 hours ago
  • @LeSuisse accepted 11 hours ago
  • @LeSuisse published on GitHub 11 hours ago
Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be

Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.

Affected products

MPD
  • <0.24.11

Matching in nixpkgs

Ignored packages (46)

pkgs.ympd

Standalone MPD Web GUI written in C, utilizing Websockets and Bootstrap/JS

pkgs.mpdas

Music Player Daemon AudioScrobbler

pkgs.mympd

Standalone and mobile friendly web mpd client with a tiny footprint and advanced features

pkgs.compdb

Command line tool to manipulate compilation databases

pkgs.rofi-mpd

Rofi menu for interacting with MPD written in Python

pkgs.rtmpdump

Toolkit for RTMP streams

  • nixos-unstable 2.6
    • nixpkgs-unstable 2.6
    • nixos-unstable-small 2.6
  • nixos-25.11 2.6
    • nixos-25.11-small 2.6
    • nixpkgs-25.11-darwin 2.6

pkgs.mpd-mpris

Implementation of the MPRIS protocol for MPD

pkgs.mpdecimal

Library for arbitrary precision decimal floating point arithmetic

pkgs.mopidy-mpd

Mopidy extension for controlling playback from MPD clients

pkgs.mpdris2-rs

Exposing MPRIS V2.2 D-Bus interface for MPD

pkgs.pam_tmpdir

PAM module for creating safe per-user temporary directories

  • nixos-unstable 0.09
    • nixpkgs-unstable 0.09
    • nixos-unstable-small 0.09
  • nixos-25.11 0.09
    • nixos-25.11-small 0.09
    • nixpkgs-25.11-darwin 0.09

pkgs.mpdscribble

MPD client which submits info about tracks being played to a scrobbler

  • nixos-unstable 0.25
    • nixpkgs-unstable 0.25
    • nixos-unstable-small 0.25
  • nixos-25.11 0.24
    • nixos-25.11-small 0.24
    • nixpkgs-25.11-darwin 0.24

pkgs.libmpdclient

Client library for MPD (music player daemon)

  • nixos-unstable 2.24
    • nixpkgs-unstable 2.24
    • nixos-unstable-small 2.24
  • nixos-25.11 2.24
    • nixos-25.11-small 2.24
    • nixpkgs-25.11-darwin 2.24

pkgs.mpd-discord-rpc

Rust application which displays your currently playing song / album / artist from MPD in Discord using Rich Presence

pkgs.rtmpdump_gnutls

Toolkit for RTMP streams

  • nixos-unstable 2.6
    • nixpkgs-unstable 2.6
    • nixos-unstable-small 2.6
  • nixos-25.11 2.6
    • nixos-25.11-small 2.6
    • nixpkgs-25.11-darwin 2.6

pkgs.writableTmpDirAsHomeHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Published
Permalink CVE-2026-49129
6.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 11 hours ago by @LeSuisse Activity log
  • Created suggestion 17 hours ago
  • @LeSuisse ignored
    10 packages
    • ympd
    • mpdas
    • mympd
    • compdb
    • libmpd
    • mpdcron
    • mpdris2
    • mpd-sima
    • rofi-mpd
    • rtmpdump
    11 hours ago
  • @LeSuisse ignored reference https://w… 11 hours ago
  • @LeSuisse ignored
    36 packages
    • mpd-mpris
    • mpdecimal
    • termpdfpy
    • mopidy-mpd
    • mpdris2-rs
    • pam_tmpdir
    • mpdscribble
    • dash-mpd-cli
    • libmpdclient
    • mpd-discord-rpc
    • rtmpdump_gnutls
    • listenbrainz-mpd
    • mpd-notification
    • perlPackages.NetMPD
    • mpd-touch-screen-gui
    • perl5Packages.NetMPD
    • haskellPackages.libmpd
    • perl538Packages.NetMPD
    • perl540Packages.NetMPD
    • python312Packages.mpd2
    • python313Packages.mpd2
    • python314Packages.mpd2
    • writableTmpDirAsHomeHook
    • mopidyPackages.mopidy-mpd
    • perlPackages.FileUtilTempdir
    • perlPackages.TestTempDirTiny
    • perl5Packages.FileUtilTempdir
    • perl5Packages.TestTempDirTiny
    • perl538Packages.FileUtilTempdir
    • perl538Packages.TestTempDirTiny
    • perl540Packages.FileUtilTempdir
    • perl540Packages.TestTempDirTiny
    • chickenPackages_5.chickenEggs.mpd-client
    • home-assistant-component-tests.mpd
    • haskellPackages.compdata-fixplate
    • haskellPackages.mpd-current-json
    11 hours ago
  • @LeSuisse accepted 11 hours ago
  • @LeSuisse published on GitHub 11 hours ago
Music Player Daemon < 0.24.11 SSRF via CurlInputPlugin

Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP server to redirect to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp. Attackers can trigger this vulnerability via MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load, to interact with internal or restricted network services on systems running libcurl versions prior to 7.85.0.

Affected products

MPD
  • <0.24.11

Matching in nixpkgs

Ignored packages (46)

pkgs.ympd

Standalone MPD Web GUI written in C, utilizing Websockets and Bootstrap/JS

pkgs.mpdas

Music Player Daemon AudioScrobbler

pkgs.mympd

Standalone and mobile friendly web mpd client with a tiny footprint and advanced features

pkgs.compdb

Command line tool to manipulate compilation databases

pkgs.rofi-mpd

Rofi menu for interacting with MPD written in Python

pkgs.rtmpdump

Toolkit for RTMP streams

  • nixos-unstable 2.6
    • nixpkgs-unstable 2.6
    • nixos-unstable-small 2.6
  • nixos-25.11 2.6
    • nixos-25.11-small 2.6
    • nixpkgs-25.11-darwin 2.6

pkgs.mpd-mpris

Implementation of the MPRIS protocol for MPD

pkgs.mpdecimal

Library for arbitrary precision decimal floating point arithmetic

pkgs.mopidy-mpd

Mopidy extension for controlling playback from MPD clients

pkgs.mpdris2-rs

Exposing MPRIS V2.2 D-Bus interface for MPD

pkgs.pam_tmpdir

PAM module for creating safe per-user temporary directories

  • nixos-unstable 0.09
    • nixpkgs-unstable 0.09
    • nixos-unstable-small 0.09
  • nixos-25.11 0.09
    • nixos-25.11-small 0.09
    • nixpkgs-25.11-darwin 0.09

pkgs.mpdscribble

MPD client which submits info about tracks being played to a scrobbler

  • nixos-unstable 0.25
    • nixpkgs-unstable 0.25
    • nixos-unstable-small 0.25
  • nixos-25.11 0.24
    • nixos-25.11-small 0.24
    • nixpkgs-25.11-darwin 0.24

pkgs.libmpdclient

Client library for MPD (music player daemon)

  • nixos-unstable 2.24
    • nixpkgs-unstable 2.24
    • nixos-unstable-small 2.24
  • nixos-25.11 2.24
    • nixos-25.11-small 2.24
    • nixpkgs-25.11-darwin 2.24

pkgs.mpd-discord-rpc

Rust application which displays your currently playing song / album / artist from MPD in Discord using Rich Presence

pkgs.rtmpdump_gnutls

Toolkit for RTMP streams

  • nixos-unstable 2.6
    • nixpkgs-unstable 2.6
    • nixos-unstable-small 2.6
  • nixos-25.11 2.6
    • nixos-25.11-small 2.6
    • nixpkgs-25.11-darwin 2.6

pkgs.writableTmpDirAsHomeHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Published
Permalink CVE-2026-49130
6.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 11 hours ago by @LeSuisse Activity log
  • Created suggestion 17 hours ago
  • @LeSuisse ignored
    46 packages
    • ympd
    • mpdas
    • mympd
    • compdb
    • libmpd
    • mpdcron
    • mpdris2
    • mpd-sima
    • rofi-mpd
    • rtmpdump
    • mpd-mpris
    • mpdecimal
    • termpdfpy
    • mopidy-mpd
    • mpdris2-rs
    • pam_tmpdir
    • mpdscribble
    • dash-mpd-cli
    • libmpdclient
    • mpd-discord-rpc
    • rtmpdump_gnutls
    • listenbrainz-mpd
    • mpd-notification
    • perlPackages.NetMPD
    • mpd-touch-screen-gui
    • perl5Packages.NetMPD
    • haskellPackages.libmpd
    • perl538Packages.NetMPD
    • perl540Packages.NetMPD
    • python312Packages.mpd2
    • python313Packages.mpd2
    • python314Packages.mpd2
    • writableTmpDirAsHomeHook
    • mopidyPackages.mopidy-mpd
    • perlPackages.FileUtilTempdir
    • perlPackages.TestTempDirTiny
    • perl5Packages.FileUtilTempdir
    • perl5Packages.TestTempDirTiny
    • chickenPackages_5.chickenEggs.mpd-client
    • home-assistant-component-tests.mpd
    • haskellPackages.compdata-fixplate
    • haskellPackages.mpd-current-json
    • perl540Packages.TestTempDirTiny
    • perl538Packages.TestTempDirTiny
    • perl540Packages.FileUtilTempdir
    • perl538Packages.FileUtilTempdir
    11 hours ago
  • @LeSuisse ignored reference https://w… 11 hours ago
  • @LeSuisse accepted 11 hours ago
  • @LeSuisse published on GitHub 11 hours ago
Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx

Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat's decoding of numeric character references prior to the character data callback.

Affected products

MPD
  • <0.24.11

Matching in nixpkgs

Ignored packages (46)

pkgs.ympd

Standalone MPD Web GUI written in C, utilizing Websockets and Bootstrap/JS

pkgs.mpdas

Music Player Daemon AudioScrobbler

pkgs.mympd

Standalone and mobile friendly web mpd client with a tiny footprint and advanced features

pkgs.compdb

Command line tool to manipulate compilation databases

pkgs.rofi-mpd

Rofi menu for interacting with MPD written in Python

pkgs.rtmpdump

Toolkit for RTMP streams

  • nixos-unstable 2.6
    • nixpkgs-unstable 2.6
    • nixos-unstable-small 2.6
  • nixos-25.11 2.6
    • nixos-25.11-small 2.6
    • nixpkgs-25.11-darwin 2.6

pkgs.mpd-mpris

Implementation of the MPRIS protocol for MPD

pkgs.mpdecimal

Library for arbitrary precision decimal floating point arithmetic

pkgs.mopidy-mpd

Mopidy extension for controlling playback from MPD clients

pkgs.mpdris2-rs

Exposing MPRIS V2.2 D-Bus interface for MPD

pkgs.pam_tmpdir

PAM module for creating safe per-user temporary directories

  • nixos-unstable 0.09
    • nixpkgs-unstable 0.09
    • nixos-unstable-small 0.09
  • nixos-25.11 0.09
    • nixos-25.11-small 0.09
    • nixpkgs-25.11-darwin 0.09

pkgs.mpdscribble

MPD client which submits info about tracks being played to a scrobbler

  • nixos-unstable 0.25
    • nixpkgs-unstable 0.25
    • nixos-unstable-small 0.25
  • nixos-25.11 0.24
    • nixos-25.11-small 0.24
    • nixpkgs-25.11-darwin 0.24

pkgs.libmpdclient

Client library for MPD (music player daemon)

  • nixos-unstable 2.24
    • nixpkgs-unstable 2.24
    • nixos-unstable-small 2.24
  • nixos-25.11 2.24
    • nixos-25.11-small 2.24
    • nixpkgs-25.11-darwin 2.24

pkgs.mpd-discord-rpc

Rust application which displays your currently playing song / album / artist from MPD in Discord using Rich Presence

pkgs.rtmpdump_gnutls

Toolkit for RTMP streams

  • nixos-unstable 2.6
    • nixpkgs-unstable 2.6
    • nixos-unstable-small 2.6
  • nixos-25.11 2.6
    • nixos-25.11-small 2.6
    • nixpkgs-25.11-darwin 2.6

pkgs.writableTmpDirAsHomeHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Published
Permalink CVE-2026-49128
8.7 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 11 hours ago by @LeSuisse Activity log
  • Created suggestion 17 hours ago
  • @LeSuisse ignored
    2 packages
    • ympd
    • mpdas
    11 hours ago
  • @LeSuisse ignored reference https://w… 11 hours ago
  • @LeSuisse ignored
    45 packages
    • mympd
    • rtmpdump
    • mpd-mpris
    • mpd-small
    • mpdecimal
    • termpdfpy
    • mopidy-mpd
    • mpdris2-rs
    • pam_tmpdir
    • mpdscribble
    • mpdcron
    • mpdris2
    • rofi-mpd
    • dash-mpd-cli
    • libmpdclient
    • mpd-discord-rpc
    • rtmpdump_gnutls
    • listenbrainz-mpd
    • mpd-notification
    • perlPackages.NetMPD
    • mpd-touch-screen-gui
    • perl5Packages.NetMPD
    • haskellPackages.libmpd
    • perl538Packages.NetMPD
    • perl540Packages.NetMPD
    • python312Packages.mpd2
    • python313Packages.mpd2
    • python314Packages.mpd2
    • writableTmpDirAsHomeHook
    • mopidyPackages.mopidy-mpd
    • perlPackages.FileUtilTempdir
    • perlPackages.TestTempDirTiny
    • perl5Packages.FileUtilTempdir
    • perl5Packages.TestTempDirTiny
    • mpd-sima
    • chickenPackages_5.chickenEggs.mpd-client
    • home-assistant-component-tests.mpd
    • haskellPackages.mpd-current-json
    • perl540Packages.TestTempDirTiny
    • perl540Packages.FileUtilTempdir
    • perl538Packages.TestTempDirTiny
    • libmpd
    • perl538Packages.FileUtilTempdir
    • haskellPackages.compdata-fixplate
    • compdb
    11 hours ago
  • @LeSuisse restored package mpd-small 11 hours ago
  • @LeSuisse accepted 11 hours ago
  • @LeSuisse published on GitHub 11 hours ago
Music Player Daemon < 0.24.11 Path Traversal via LocalStorage URI Handling

Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.

Affected products

MPD
  • <0.24.11

Matching in nixpkgs

Ignored packages (46)

pkgs.ympd

Standalone MPD Web GUI written in C, utilizing Websockets and Bootstrap/JS

pkgs.mpdas

Music Player Daemon AudioScrobbler

pkgs.mympd

Standalone and mobile friendly web mpd client with a tiny footprint and advanced features

pkgs.compdb

Command line tool to manipulate compilation databases

pkgs.rofi-mpd

Rofi menu for interacting with MPD written in Python

pkgs.rtmpdump

Toolkit for RTMP streams

  • nixos-unstable 2.6
    • nixpkgs-unstable 2.6
    • nixos-unstable-small 2.6
  • nixos-25.11 2.6
    • nixos-25.11-small 2.6
    • nixpkgs-25.11-darwin 2.6

pkgs.mpd-mpris

Implementation of the MPRIS protocol for MPD

pkgs.mpdecimal

Library for arbitrary precision decimal floating point arithmetic

pkgs.mopidy-mpd

Mopidy extension for controlling playback from MPD clients

pkgs.mpdris2-rs

Exposing MPRIS V2.2 D-Bus interface for MPD

pkgs.pam_tmpdir

PAM module for creating safe per-user temporary directories

  • nixos-unstable 0.09
    • nixpkgs-unstable 0.09
    • nixos-unstable-small 0.09
  • nixos-25.11 0.09
    • nixos-25.11-small 0.09
    • nixpkgs-25.11-darwin 0.09

pkgs.mpdscribble

MPD client which submits info about tracks being played to a scrobbler

  • nixos-unstable 0.25
    • nixpkgs-unstable 0.25
    • nixos-unstable-small 0.25
  • nixos-25.11 0.24
    • nixos-25.11-small 0.24
    • nixpkgs-25.11-darwin 0.24

pkgs.libmpdclient

Client library for MPD (music player daemon)

  • nixos-unstable 2.24
    • nixpkgs-unstable 2.24
    • nixos-unstable-small 2.24
  • nixos-25.11 2.24
    • nixos-25.11-small 2.24
    • nixpkgs-25.11-darwin 2.24

pkgs.mpd-discord-rpc

Rust application which displays your currently playing song / album / artist from MPD in Discord using Rich Presence

pkgs.rtmpdump_gnutls

Toolkit for RTMP streams

  • nixos-unstable 2.6
    • nixpkgs-unstable 2.6
    • nixos-unstable-small 2.6
  • nixos-25.11 2.6
    • nixos-25.11-small 2.6
    • nixpkgs-25.11-darwin 2.6

pkgs.writableTmpDirAsHomeHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin