Home

Description

Musicco 2.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary directories by manipulating the parent parameter. Attackers can supply directory traversal sequences in the parent parameter of the getAlbum endpoint to access sensitive system directories and download them as ZIP files.

PUBLISHED Reserved 2026-03-06 | Published 2026-03-06 | Updated 2026-03-06 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

2.0.0
affected

Credits

Ihsan Sencan finder

References

www.exploit-db.com/exploits/45830 (ExploitDB-45830) exploit

www.vulncheck.com/...y-directory-download-via-path-traversal (VulnCheck Advisory: Musicco 2.0.0 Arbitrary Directory Download via Path Traversal) third-party-advisory

cve.org (CVE-2018-25181)

nvd.nist.gov (CVE-2018-25181)

Download JSON