CVE-2026-23877: Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user

January 21, 2026

Swing Music’s list_folders() function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem.

References

github.com/advisories/GHSA-pj88-9xww-gxmh
github.com/swingmx/swingmusic
github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3
github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh
nvd.nist.gov/vuln/detail/CVE-2026-23877

Code Behaviors & Features

Detect and mitigate CVE-2026-23877 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →