Description
Musicco 2.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary directories by manipulating the parent parameter. Attackers can supply directory traversal sequences in the parent parameter of the getAlbum endpoint to access sensitive system directories and download them as ZIP files.
Exploits (1)
References (2)
Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/45830
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/musicco-arbitrary-directory-download-via-path-traversal
Scores
CVSS v3
7.5
EPSS
0.0110
EPSS Percentile
78.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Published
Mar 06, 2026
Tracked Since
Mar 06, 2026