CVE-2026-42052 Overview
CVE-2026-42052 is a Cross-Site Scripting (XSS) vulnerability in Beets, an open-source media library management system. The bundled web UI in versions prior to 2.10.0 uses Underscore.js template interpolation mode <%= ... %> to render untrusted metadata fields. This interpolation mode performs raw insertion without HTML escaping, while only <%- ... %> applies escaping. The rendered output is then injected into the DOM with .html(...), allowing attacker-controlled markup in media metadata to execute as active DOM content. The maintainers patched the issue in Beets version 2.10.0.
Critical Impact
Attacker-controlled metadata fields can execute arbitrary JavaScript in the browser of any user accessing the Beets web UI, leading to session theft, UI manipulation, and pivot opportunities into the host environment.
Affected Products
- Beets media library management system, all versions prior to 2.10.0
- Beets bundled web UI component (beetsplug/web)
- Deployments exposing the Beets web interface to multi-user or networked access
Discovery Timeline
- 2026-05-04 - CVE-2026-42052 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-42052
Vulnerability Analysis
The vulnerability is classified as Cross-Site Scripting [CWE-79]. Beets imports media metadata such as track titles, artist names, album names, and comments from audio files. The web UI renders these fields client-side using Underscore.js templates.
In Underscore template syntax, <%= value %> performs raw HTML interpolation. The escaping variant <%- value %> is required to neutralize markup. Beets templates used the unescaped form for fields populated from untrusted file metadata. The result of _.template(...) is then passed to jQuery's .html(...), which parses the string as HTML and activates any embedded scripts or event handlers.
An attacker who controls a media file imported by a Beets user can embed JavaScript payloads in tag fields. When a victim opens the web UI and views the affected library item, the payload runs in the origin of the Beets server.
Root Cause
The root cause is incorrect choice of Underscore template interpolation mode. Developers used <%= %> for fields that originate from untrusted media file tags. Combined with .html() insertion, this permits HTML and script injection without input sanitization or output encoding at any layer.
Attack Vector
Exploitation requires an attacker to deliver a media file containing malicious markup in metadata tags such as title, artist, album, or comment. The attacker tricks a Beets user into importing the file or contributes it to a shared library. When the user browses the web UI, the browser parses the unescaped metadata and executes the attacker's payload. User interaction is required, and the attack proceeds over the network against the web UI origin.
No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-3gxm-wfjx-m847 for technical details.
Detection Methods for CVE-2026-42052
Indicators of Compromise
- Media files with metadata fields containing HTML tags such as <script>, <img onerror=...>, or <svg onload=...>
- Outbound HTTP requests from a user's browser to unfamiliar domains immediately after loading the Beets web UI
- Unexpected DOM elements or injected <iframe> content within the Beets web UI
- Beets library database (library.db) entries containing raw HTML or JavaScript in tag columns
Detection Strategies
- Scan the Beets library database for metadata values containing angle-bracket sequences and known XSS payload patterns
- Inspect imported media files with tag readers such as mutagen or exiftool to flag entries containing HTML or JavaScript syntax
- Enable browser Content Security Policy reporting on the web UI host to capture script-source violations
- Review web UI access logs for sessions that load metadata-rich endpoints followed by anomalous outbound activity
Monitoring Recommendations
- Monitor the Beets server process for unexpected child processes or file writes triggered by web UI sessions
- Alert on browser console errors and CSP violations originating from the Beets origin
- Track new file imports and correlate against subsequent web UI rendering activity
- Restrict and log network access to the Beets web UI port, since it lacks authentication by default
How to Mitigate CVE-2026-42052
Immediate Actions Required
- Upgrade Beets to version 2.10.0 or later, which replaces unsafe interpolation in the web UI templates
- Stop exposing the Beets web UI to untrusted networks until the upgrade is applied
- Audit existing library metadata for HTML or JavaScript content and sanitize or remove affected entries
- Avoid importing media files from untrusted sources until templates are confirmed patched
Patch Information
The fix is included in Beets release v2.10.0. The patch switches metadata field rendering from raw <%= %> interpolation to escaping <%- %> interpolation in the bundled web UI templates. Full advisory details are available in GitHub Security Advisory GHSA-3gxm-wfjx-m847.
Workarounds
- Bind the Beets web UI to 127.0.0.1 only and tunnel via SSH for remote access
- Place the web UI behind a reverse proxy that enforces a strict Content Security Policy disallowing inline scripts
- Disable the web plugin in config.yaml until the upgrade can be completed
- Sanitize metadata at import time by stripping HTML characters from tag fields using a pre-import script
# Configuration example
# Upgrade Beets to the patched release
pip install --upgrade 'beets>=2.10.0'
# Verify installed version
beet version
# Temporary mitigation: disable the web plugin in ~/.config/beets/config.yaml
# plugins: [ ... ] # remove 'web' from this list until upgraded
# Or bind the web UI to localhost only
# web:
# host: 127.0.0.1
# port: 8337
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
