beets web plugin, Stored XSS, No CVE (Medium)

By /

Listen to this Post

How the mentioned CVE works:

The vulnerability exists in the beets web UI plugin due to improper handling of metadata fields. An attacker can insert malicious HTML/JavaScript into metadata tags such as , lyrics, or comments. These fields are stored in the beets library database. When a victim accesses the web UI, the affected template (beetsplug/web/templates/index.html at lines 42-46 and 87-91) renders these fields using Underscore’s raw interpolation `<%= ... %>` instead of the escaped variant <%- ... %>. The Underscore library (static/underscore.js lines 890-907) defines `<%= ... %>` as raw insertion, performing no HTML escaping. The rendered HTML is then injected into the DOM via jQuery’s `.html()` method in beets.js (lines 182, 208, 220). This chain allows attacker-controlled script to execute in the victim’s browser. The issue is triggered when a user views a page displaying the malicious metadata. No user interaction beyond viewing the affected page is required. The payload is stored persistently, affecting any user who loads the compromised data. Root cause is trusting metadata as safe HTML. The fix requires changing `<%=` to `<%-` for all untrusted fields and avoiding `.html()` for untrusted content.

dailycve form:

Platform: beets webplugin
Version: 80cd21554124
Vulnerability: Stored XSS
Severity: Medium
date: 2026-04-29

Prediction: 2026-05-15

What Undercode Say:

Audit for unsafe interpolation
grep -rn "<%=" beetsplug/web/templates/
Check jQuery .html() usage
grep -rn ".html(" beetsplug/web/static/beets.js
Sample payload to test
curl -X POST -d '=<script>alert("XSS")</script>' http://beets/api/item

how Exploit:

Attacker adds malicious metadata via beets CLI or API: beets modify ='<img src=x onerror=alert(1)>'. Victim opens web UI listing that item. Script executes.

Protection from this CVE:

Update to patched version. If unavailable, replace `<%=` with `<%-` in index.html lines 42-46,87-91. Use Content Security Policy (CSP) to block inline scripts. Validate metadata on input.

Impact:

Arbitrary JavaScript execution in victim’s browser. Exfiltration of session cookies, local storage, or UI actions. Compromise of beets web interface trust.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top