CVE-2019-12386

MEDIUM

Ampache < 3.9.1 - Stored Cross-Site Scripting via LocalPlay Add Instance

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-12386. PoCs published by X-C3LL.

AI-analyzed exploit summary This PoC exploits a CSRF vulnerability in Ampache <=3.9.1 to create a new admin account via an iframe-based attack. It automates form submission to add a user with admin privileges (access level 100).

Description

An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose credentials are known by the attacker.

Exploits (1)

github WORKING POC 11 stars
by X-C3LL · pythonpoc
https://github.com/X-C3LL/PoC-CVEs/tree/master/CVE-2019-12386

This PoC exploits a CSRF vulnerability in Ampache <=3.9.1 to create a new admin account via an iframe-based attack. It automates form submission to add a user with admin privileges (access level 100).

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Ampache <=3.9.1
No auth needed
Prerequisites: Victim must visit a malicious page hosting this script · Ampache instance must be accessible at the specified URL
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.tarlogic.com/en/blog/vulnerabilities-in-ampache/
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/11/msg00008.html

Scores

CVSS v3 5.4
EPSS 0.0084
EPSS Percentile 53.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
ampache/ampache < 3.9.1
Published Aug 22, 2019
Tracked Since Feb 18, 2026