CVE-2026-42052
MediumCVSS 6.0Exploitation Probability (EPSS)
Low risk19th percentile - higher than 19% of all known CVEs
Summary
Beets is a media library management system. Prior to version 2.10.0, the bundled web UI used Underscore template interpolation mode <%= ... %> for untrusted metadata fields, leading to the possibility of injecting malicious HTML code.
Risk Assessment
An attacker could exploit this vulnerability to activate malicious code in the DOM, posing a serious threat to the application's security and user data.
Recommendation
It is recommended to upgrade to version 2.10.0 or later to eliminate this vulnerability and secure the system against potential attacks.
Original NVD description (English source)
Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0.

