Lucene search
K

152 matches found

Nuclei
Nuclei
added 16 hours ago157 views

Navidrome <=0.54.5 - Authentication Bypass in Subsonic API

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

6.9CVSS6.2AI score0.00936EPSS
Exploits1References1
Nuclei
Nuclei
added 16 hours ago51 views

Navidrome < 0.53.0 - Authenticated SQL Injection

Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like password=... in the URL ORM Leak. Furthermore, the names of the parameters are not...

9.4CVSS7.1AI score0.04457EPSS
Exploits2References3
Tenable Nessus
Tenable Nessus
added 2026/02/08 12:0 a.m.4 views

FreeBSD : navidrome -- multiple vulnerabilities (a6effa17-1fd4-4895-8471-d5c684d7807c)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the a6effa17-1fd4-4895-8471-d5c684d7807c advisory. An XSS vulnerability in the frontend allows a malicious attacker to inject code through the...

9.2CVSS5.3AI score0.00455EPSS
Exploits2References5
SUSE CVE
SUSE CVE
added 2026/02/07 12:23 a.m.6 views

SUSE CVE-2026-25578

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...

6.1CVSS5.1AI score0.00297EPSS
Exploits1References3
SUSE CVE
SUSE CVE
added 2026/02/07 12:23 a.m.7 views

SUSE CVE-2026-25579

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL /share/img/. When processing such requests, the...

9.2CVSS5.4AI score0.00455EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/02/06 1:25 a.m.6 views

CVE-2026-25579

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL /share/img/. When processing such requests, the...

9.2CVSS5.4AI score0.00455EPSS
Exploits1References1
OSV
OSV
added 2026/02/05 3:20 a.m.6 views

GO-2026-4411 Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints in github.com/navidrome/navidrome

Navidrome affected by Denial of Service and disk exhaustion via oversized size parameter in /rest/getCoverArt and /share/img/ endpoints in github.com/navidrome/navidrome...

9.2CVSS5.3AI score0.00455EPSS
Exploits1References1
OSV
OSV
added 2026/02/05 3:20 a.m.6 views

GO-2026-4413 Navidrome has XSS via comment from song metadata in github.com/navidrome/navidrome

Navidrome has XSS via comment from song metadata in github.com/navidrome/navidrome...

6.1CVSS5.3AI score0.00297EPSS
Exploits1References3
NVD
NVD
added 2026/02/04 10:16 p.m.11 views

CVE-2026-25578

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...

6.1CVSS0.00297EPSS
Exploits1References3
NVD
NVD
added 2026/02/04 10:16 p.m.7 views

CVE-2026-25579

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL /share/img/. When processing such requests, the...

9.2CVSS0.00455EPSS
Exploits1References2
CVE
CVE
added 2026/02/04 9:58 p.m.51 views

CVE-2026-25578

Navidrome is vulnerable to a frontend cross-site scripting (XSS) flaw via the song metadata comment field. A maliciously crafted comment can exfiltrate user credentials or API tokens from the Navidrome UI. Affected version range is prior to 0.60.0; the issue has been mitigated/patched in 0.60.0. ...

6.1CVSS5.1AI score0.00297EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/02/04 9:58 p.m.29 views

CVE-2026-25578 Navidrome is vulnerable to XSS via comment from song metadata

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...

6.1CVSS0.00297EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/02/04 9:58 p.m.3 views

CVE-2026-25578 Navidrome is vulnerable to XSS via comment from song metadata

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...

6.1CVSS5.1AI score0.00297EPSS
Exploits1References3
EUVD
EUVD
added 2026/02/04 9:58 p.m.5 views

EUVD-2026-5323

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...

6.1CVSS5.1AI score0.00297EPSS
Exploits1References3
OSV
OSV
added 2026/02/04 9:58 p.m.6 views

CVE-2026-25578 Navidrome is vulnerable to XSS via comment from song metadata

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...

6.1CVSS5.2AI score0.00297EPSS
Exploits1References5
AlpineLinux
AlpineLinux
added 2026/02/04 9:58 p.m.3 views

CVE-2026-25578

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...

6.1CVSS5.2AI score0.00297EPSS
Exploits1
EUVD
EUVD
added 2026/02/04 9:58 p.m.7 views

EUVD-2026-5324

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL /share/img/. When processing such requests, the...

9.2CVSS5.5AI score0.00455EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/04 9:58 p.m.4 views

CVE-2026-25579 Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL /share/img/. When processing such requests, the...

9.2CVSS5.5AI score0.00455EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/02/04 9:58 p.m.6 views

CVE-2026-25579

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL /share/img/. When processing such requests, the...

9.2CVSS5.4AI score0.00455EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/02/04 9:58 p.m.21 views

CVE-2026-25579

Summary: CVE-2026-25579 affects Navidrome prior to 0.60.0. Authenticated users can trigger a Denial of Service and disk exhaustion by sending an oversized size parameter to /rest/getCoverArt or /share/img/, causing extreme memory allocation and cache growth; this can kill the Navidrome process vi...

9.2CVSS5.5AI score0.00455EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder