Hi, The following vulnerability was published for beets. CVE-2026-42052[0]: | Beets is the media library management system. Prior to version | 2.10.0, the bundled web UI uses Underscore template interpolation | mode <%= ... %> for untrusted metadata fields. In this runtime, <%= | ... %> is raw insertion and HTML escaping is only performed by <%- | ... %>. Rendered output is then inserted with .html(...), allowing | attacker-controlled markup to become active DOM. This issue has been | patched in version 2.10.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-42052 https://www.cve.org/CVERecord?id=CVE-2026-42052 [1] https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Thanks. I'm assuming, based on nothing but my own judgement, that users don't often expose their beets library externally using this web UI. Even if they do, this vulnerability is not very practical for attackers to exploit as they should poison a library with malicious code in music metadata fields. Or something. Therefore, I think this is a low risk vulnerability. Upstream reports this is fixed in their commit https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a I will update the package to 2.10 in unstable with DD sponsorship from the python team. I will try to prepare stable updates for bullseye to trixie in branches in salsa. I will try to backport this commit and provide a test confirming proper escaping of field input. I'm not a DD, so I do not have upload access. I propose I work on the above and report on my progress here. I think I will need a couple of days, maybe until the end of the weekend to propose fixes. Please jump in if any of the above does not sound okay. Thanks, Pieter
Thanks. I'm assuming, based on nothing but my own judgement, that users don't often expose their beets library externally using this web UI. Even if they do, this vulnerability is not very practical for attackers to exploit as they should poison a library with malicious code in music metadata fields. Or something. Therefore, I think this is a low risk vulnerability. Upstream reports this is fixed in their commit https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a I will update the package to 2.10 in unstable with DD sponsorship from the python team. I will try to prepare stable updates for bullseye to trixie in branches in salsa. I will try to backport this commit and provide a test confirming proper escaping of field input. I'm not a DD, so I do not have upload access. I propose I work on the above and report on my progress here. I think I will need a couple of days, maybe until the end of the weekend to propose fixes. Please jump in if any of the above does not sound okay. Thanks, Pieter
Hi Pieter, FWIW, I agree with you, and just uploading the fixing version to unstable is good. For stable and oldstable I believe it does not need a security update, we will mark it no-dsa in the security tracker. If you mean to fix it in stable and olstable doing it via a upcoming point release would be sufficient. Thanks for working on it, Regards, Salvatore
thanks
thanks
On Wed May 6, 2026 at 7:47 AM CEST, Salvatore Bonaccorso wrote: Hi Salvatore & python team, I'm looking into getting the update to unstable. There are some dependency issues. I have now pushed my proposition for a trixie update to https://salsa.debian.org/python-team/packages/beets/-/tree/debian/stable/ I backported the patch and added a test to check for unsafe input fields in the template. 1. Can someone in the python team review my proposed fix? 2. Should this then become a stable update, following that process? If yes I will open a stable update bug. Thanks for giving me directions, Pieter
Hi Pieter! I can review them. Just to confirm it, the patches to fix this CVE are: - fix-ubuntu-s390x - fix_xss_by_using_escaped_template_tags_in_web_ui - add_unit_test_checking_unsafe_web_ui_input Also I recommend you use debian/trixie as name branch.
On Sun May 10, 2026 at 10:01 PM CEST, Emmanuel Arias wrote: Hi Emmanuel, I'm CC'ing Jeroen as he has been giving me feedback on my beets update for unstable. Great, thanks in advance. This one was touched by gbp pq importing/exporting. Not related to the CVE. These two are the ones, indeed. I've renamed the branch and I've prepared the updates for bullseye & bookworm too. Feedback welcome for these. Should I open stable update bugs for each release? My update for unstable is not ready yet. I still get issues from autopkgtest. @Jeroen, I did remediate all your comments though. Thanks for your time! Pieter
Yes, you can open a -pu bug. I sent you some comments about patches.
Hi Jeroen & Emmanuel, I've opened the trixie-pu bug #113668 and received the feedback that the issue must be fixed in unstable first. So, I've now fixed the unstable 2.11.0-1 update. My proposal is ready in salsa: https://salsa.debian.org/python-team/packages/beets/-/pipelines/1087567 Can you please review and upload? I will then create the bookworm and bullseye pu bugs too. Thx! Pieter
Hi, I created bullseye and bookworm pu bugs too, which makes the related bugs: * trixie-pu: #1136681 * bookworm-pu: #1136745 * bullseye-pu: #1136746 Br, Pieter
We believe that the bug you reported is fixed in the latest version of
beets, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1135779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pieter Lenaerts <plenae@disroot.org> (supplier of updated beets package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 16 May 2026 08:11:22 +0000
Source: beets
Built-For-Profiles: noudeb
Architecture: source
Version: 2.11.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Pieter Lenaerts <plenae@disroot.org>
Closes: 1135779
Changes:
beets (2.11.0-1) unstable; urgency=medium
.
* New upstream version 2.11.0
* Update deps according to pyproject.toml
* Remove unneeded patches - only test-rsrc remains.
* Add patch adding a test against CVE-2026-42052 (Closes: #1135779)
* Remove unused debian/copyright paragraph ISC
* d/watch: renamed fields with debputy lint --auto-fix (routine-update)
* debian/control:
* Reorder sequence of fields by cme (routine-update)
* Add build-deps python3-factory_boy & python3-accoustid
* Use sphinx 9; python3-mediafile >= 1.3.1
* debian/tests:
* Mirror build-deps to debian/tests/control
* Add very basic cli autopkgtest
* unittests: set full path to resources
* Forwarded patch add_unit_test_checking_unsafe_web_ui_input
* Remove obsolote README.Debian
Checksums-Sha1:
5f0ac3bcf625db0aaf94ccca6476c4e1d32117b6 3956 beets_2.11.0-1.dsc
55a667e878c2dfaedc5b533a47a875e905049caa 2571312 beets_2.11.0.orig.tar.gz
40cf1d691cea4da650d412af4b0c64226566a7ad 13728 beets_2.11.0-1.debian.tar.xz
1ffba12fca708e5421ba3e7fa847b0e71c3098e7 21048 beets_2.11.0-1_source.buildinfo
Checksums-Sha256:
ea1007eeea4814eb2a2914bb05bc44cc3c3004d30e9588bc6af3ff5e5edb6aa4 3956 beets_2.11.0-1.dsc
2e9ee9345b57db15eb5760a836ce59fbd75897c3812d7f5dd45612c7a0a7a377 2571312 beets_2.11.0.orig.tar.gz
f6c5b8f71abf6a1659c1a26ff4cec2b51055ca5f0e65e5b4a1d3411328b9b1ea 13728 beets_2.11.0-1.debian.tar.xz
a81497ccf858c570c1e61d7d4846b71b35e58a13a1d08f7fbba0d907d7d59e03 21048 beets_2.11.0-1_source.buildinfo
Files:
3e1ebe879cf1a8a347b3c179cf187b77 3956 sound - beets_2.11.0-1.dsc
59f745ce3d3c0fa093b9a2579337b6d9 2571312 sound - beets_2.11.0.orig.tar.gz
edeb3a7663ba090dce6ad4e98489f92e 13728 sound - beets_2.11.0-1.debian.tar.xz
f1a0d7e7df7243805f95285b0e30c6a4 21048 sound - beets_2.11.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEd8lhnEnWos3N8v+qQoMEoXSNzHoFAmoIJvEACgkQQoMEoXSN
zHqbxBAAk4kNTywUHOhYtXT7j6lJC5YmC4Lk37McKweqGl4oXsAjjLbPAIgFVRx9
KYtCT0AfS4H/J/Oe1U+drPx36uUyVdc8v76wpz78kR2GRaoFb170ln0uW5Q8aRxt
Ey8Sqg4QCfrNdjwtIepVaFZG//niyYBjBciRO3XoTsHnNsG75lu2p5SDlUSbmYtY
LgF3i7izP/6mFltEf2TNsY03SuZh5gk4hYEsvGSxy+2iHw12YgKt2is81Jnf2urc
D/Xv4mP52xuftTf/MWO7hMZTYWlG2oVjneq2D/aHM+iobfcTAaGVCDwSHspV8MHW
pA0dtU+C/wDW426guewllw68HmyTmnabSzGYIgtPnZu5F2XsZn2rvmX6xkmnAOiz
F8Ps8A7cfSs7BAP+HpT/FJWFZxvEZIzNopbPfRJOLfNAaxkhA3IBY7QOm8c3kVtb
NRgaRfYAq8oq3Y5vtWcd65bgBWpN3GcX8Nbj/M3X2spZDWZEY/GcR2hFYmUXHaiF
34g7LriVmqxnQc5LODIQYWKIgFInWPUYTr17WREvXMtYibCZA12CTAVFBVuchKZN
9PhlMbQmpF6jNFx2wGfhsmHWd41B5w1fU8DpVibHGXvnHD0z/g+/YVWhplzucPun
ZVKFgdn2DFwFmxKzhqftTXyYFBbHu8k768vPiN2R+TaO/PEet+E=
=FW9P
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of beets, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1135779@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pieter Lenaerts <plenae@disroot.org> (supplier of updated beets package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Sat, 23 May 2026 11:35:26 +0000 Source: beets Built-For-Profiles: noudeb Architecture: source Version: 1.6.0-4+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Pieter Lenaerts <plenae@disroot.org> Closes: 1135779 Changes: beets (1.6.0-4+deb12u1) bookworm; urgency=medium . * Add patches fixing CVE-2026-42052 (Closes: #1135779) * Backport patch to fix a test that thinks 2025 is in the future Checksums-Sha1: 7ba39759fad35f5979d35401051bb7a90a714186 2627 beets_1.6.0-4+deb12u1.dsc ebe408f99d4178941d73b46c58e97138c0bf5b57 14384 beets_1.6.0-4+deb12u1.debian.tar.xz 2c1b75fa1be46399bb53fcb7862a90feea968018 9858 beets_1.6.0-4+deb12u1_source.buildinfo Checksums-Sha256: 70788e2889d1a370dd59d8d21c7ff7dbbaa2766eeedd35e6b7197a6945dd7a5e 2627 beets_1.6.0-4+deb12u1.dsc b09ccd15e9baeff912ff41f8041a322ad8c72a3a2d4932c109379f4ee8f526a3 14384 beets_1.6.0-4+deb12u1.debian.tar.xz ee7d47aebfab3fa9248f8e211797649912f8c19efafae66b5bad6f732b741138 9858 beets_1.6.0-4+deb12u1_source.buildinfo Files: 92a125bc304b9a893d6c29728045deb9 2627 sound optional beets_1.6.0-4+deb12u1.dsc dcfb448ebb7149b82302db5d1116cd1d 14384 sound optional beets_1.6.0-4+deb12u1.debian.tar.xz c4b7158597171efc969e2730cd7f08e3 9858 sound optional beets_1.6.0-4+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEd8lhnEnWos3N8v+qQoMEoXSNzHoFAmoRkaMACgkQQoMEoXSN zHqibA//cfT3a+yjGATIir9mWeR8FVGywPrQBP2o8OjEWGy0fEjZAgDoIPigUVoh vAOvIKx+CDd5Io7OWtMfWjkGMIRdK+R2Q4jgvNZz0khP+kpEWd+qLnwZAP9uxOJz y4qeYo+QsfV3k8/23kS8Y90FQvkUDXvdI0FwFMN/vRG3LSQaVjKQqLgLaQomKVLw CNcEAF8qFKn7pC6kZ5cKyO5u7yz0GxUKT1lBdsguU7fmzNweinvYGnKpRb0MHzhj gqLb5lwpvDpd+aTfpdobKsG5YvbLBK8L7beMnFD65lVBISIySEfZaaQUYeQzEXWK wlMEGvjDH7piLtijRawci1f9Xof0QkfPVdBrl7SaNH7uvgTmHUKkp5fmnn61iyMk w8gTeYl4d/j1QXqUyPCZW5F9cw/fU3bW/VmJxBAwXXme/GCptM17iSVNnLAZRfkv UNo/YilUb+qc+wAW94gcMgy1JET7tWRNETn4qZp4AOVt+xJ2QkqtYRuBsCtLFKIN 3QABI6nVMzhhvL/aysoNvIpD1tAnPAF183aufP4snog93SASf3wuYgocKssLCA5Z w9f9HxF6W6MMF3QarIx0GhInV+zbwgUXXzSc9pwIghGm0pJ7vVzpuCAjlasLAWcT Vnw/7RwZGwumwd2ta3T+1WYqTqQl0o6lYapBP3qb+7jSVquXJ/k= =Sy9W -----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
beets, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1135779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pieter Lenaerts <plenae@disroot.org> (supplier of updated beets package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 25 May 2026 09:10:59 +0000
Source: beets
Built-For-Profiles: noudeb
Architecture: source
Version: 2.2.0-3+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Pieter Lenaerts <plenae@disroot.org>
Closes: 1135779
Changes:
beets (2.2.0-3+deb13u1) trixie; urgency=medium
.
* Add patch to fix xss vulnerability CVE-2026-42052 in web ui
(Closes: #1135779)
* Add patch with test for unsafe web ui input
Checksums-Sha1:
485ff08ef3179eed8021cef56c603d256cb6ffe5 2995 beets_2.2.0-3+deb13u1.dsc
9267665bfea2d1cc56969d53623e5505cb77066a 14824 beets_2.2.0-3+deb13u1.debian.tar.xz
6dd9203b8ef54d107be3bbd5a3d0c5828c99fd41 9866 beets_2.2.0-3+deb13u1_source.buildinfo
Checksums-Sha256:
b6cb0dbdbaf19c9dfceed1a55bd12b2d4118ae653c7ddf8cf42e97ca08e7d80a 2995 beets_2.2.0-3+deb13u1.dsc
e0d80bc3bf3a96cb4c74f64b075ed41a8543cb7b5dbf51ee6021fa1940f74714 14824 beets_2.2.0-3+deb13u1.debian.tar.xz
5c71972ffa8abab0434bd98a603dc7c20af4bd8759a4b6ef6e82af62f4e342ba 9866 beets_2.2.0-3+deb13u1_source.buildinfo
Files:
43eb9b632cf8080e9ab6b96901e9cfc7 2995 sound optional beets_2.2.0-3+deb13u1.dsc
539cc5deb5eab2021ba78954c4e5b8c0 14824 sound optional beets_2.2.0-3+deb13u1.debian.tar.xz
dc9b805c3cb7d84f821848e13fe427bd 9866 sound optional beets_2.2.0-3+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEd8lhnEnWos3N8v+qQoMEoXSNzHoFAmoUEnUACgkQQoMEoXSN
zHplfA//Y9z+OEYso1kt9NL2Cm4C0P1OnfUDXSBlAnNYjbrDZSnOr25yXxkk0ipC
oTZh8GxnWmTGv4T7V4LZV3kp4RmQbyLYRted7UnNac8IxwfgacT+E2BnshsMbEsJ
Mtji+NBR5sf+LObT2uEee6rn6HBZh1WZs/ZQG9Zt6Q1urP1lUBpVkWR7YRh0qP+V
MUeoN0ZHlSkn4vaysJee0o49d7jg1HGOA+Tm8ZrmFmnPB5MzlM+gmKPshokUCqDU
bXEyQ6HHvrtGKlCsv6Pdfw0GHcJVpZfidC9LFdMUgcJHgB1JC1fPkvUfmhRHioGr
ajf6vj+zWh6o1dekHbl+6f5hBfpj1vyjzKrNx+t6bSUyafkGUF90xJBs0e+hz1YQ
XRsCyu6/uJj7K6moHDsL1PIIo6uYIy1fe7kKx7G2cXYSXsRnLBBDTeiD48dI1pR+
+KQcF/g1LwutJTeFWUAd7o+1BJPWLRsqj4p3zOpZREbT+xyiGdAJouU7IQBmlSRC
8N7YkIB4mnp7CDvAofmZXAz5jfMeNVS+xj8ikPpy18//WBQZKszTQHWs6Bf8XR5H
AaAfbmO2TwtXYmUcdswOH51txFso1VSM8SZmV3VDhnSOV40P+16rQTofQoUNGd/C
9SM2n0zM6OLSbEQvQf/09u6bLlerpIu4ZH4Pxe4YrCJ/V/CXihg=
=H0i9
-----END PGP SIGNATURE-----