Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user
Swing Music's list_folders() function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem.