Navidrome
by Navidrome
Source repositories
CVEs (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-25578 | 0.00 | — | 0.00 | Feb 4, 2026 | Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue… | |||
| CVE-2026-25579 | 0.00 | — | 0.00 | Feb 4, 2026 | Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/). When… | |||
| CVE-2025-48949 | 0.00 | — | 0.00 | May 30, 2025 | Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL… | |||
| CVE-2025-48948 | 0.00 | — | 0.00 | May 30, 2025 | Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations,… | |||
| CVE-2025-27112 | 0.00 | — | 0.01 | Feb 24, 2025 | Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not… | |||
| CVE-2024-56362 | 0.00 | — | 0.00 | Dec 23, 2024 | Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can… | |||
| CVE-2024-47062 | 0.00 | — | 0.04 | Sep 20, 2024 | Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the names of… | |||
| CVE-2024-32963 | 0.00 | — | 0.00 | May 1, 2024 | Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change… | |||
| CVE-2023-51442 | 0.00 | — | 0.01 | Dec 21, 2023 | Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web… | |||
| CVE-2022-23857 | 0.00 | — | 0.01 | Jan 24, 2022 | model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive… |
- CVE-2026-25578Feb 4, 2026risk 0.00cvss —epss 0.00
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue…
- CVE-2026-25579Feb 4, 2026risk 0.00cvss —epss 0.00
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/). When…
- CVE-2025-48949May 30, 2025risk 0.00cvss —epss 0.00
Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL…
- CVE-2025-48948May 30, 2025risk 0.00cvss —epss 0.00
Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations,…
- CVE-2025-27112Feb 24, 2025risk 0.00cvss —epss 0.01
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not…
- CVE-2024-56362Dec 23, 2024risk 0.00cvss —epss 0.00
Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can…
- CVE-2024-47062Sep 20, 2024risk 0.00cvss —epss 0.04
Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the names of…
- CVE-2024-32963May 1, 2024risk 0.00cvss —epss 0.00
Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change…
- CVE-2023-51442Dec 21, 2023risk 0.00cvss —epss 0.01
Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web…
- CVE-2022-23857Jan 24, 2022risk 0.00cvss —epss 0.01
model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive…