CVE-2026-25579 Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL /share/img/. When processing such requests, the...

PT-2026-6326

Name of the Vulnerable Software and Affected Versions Navidrome versions prior to 0.60.0 Description Navidrome is a web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can cause a denial of service by providing a large size parameter to the /rest/getCoverA...

EUVD-2022-0665

Malicious code in bioql PyPI...

EUVD-2025-16433

Malicious code in bioql PyPI...

GO-2025-3733 Navidrome Transcoding Permission Bypass Vulnerability Report in github.com/navidrome/navidrome

Navidrome Transcoding Permission Bypass Vulnerability Report in github.com/navidrome/navidrome...

CVE-2025-48948

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating,...

CVE-2025-48949 Navidrome allows SQL Injection via role parameter

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially...

CVE-2025-48949

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially...

CVE-2025-48948 Navidrome Transcoding Permission Bypass Vulnerability Report

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating,...

CVE-2025-48948

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating,...

Navidrome 安全漏洞

Navidrome is Navidrome Open Source a web-based open source music collection server and streamer. Used to freely listen to music collections from any browser or mobile device. A security vulnerability exists in Navidrome versions prior to 0.56.0, which stems from insufficient privilege validation...

GHSA-F238-RGGP-82M3 Navidrome Transcoding Permission Bypass Vulnerability Report

Summary A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. Details Navidrome supports transcoding...

Navidrome Transcoding Permission Bypass Vulnerability Report

Summary A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. Details Navidrome supports transcoding...

GHSA-5WGP-VJXM-3X2R Navidrome allows SQL Injection via role parameter

🛡 Security Advisory: SQL Injection Vulnerability in Navidrome v0.55.2 Overview This vulnerability arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized...

PT-2025-23230 · Navidrome +1 · Navidrome +1

Name of the Vulnerable Software and Affected Versions: Navidrome versions 0.55.0 through 0.55.2 Description: The issue arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially...

PT-2025-23229 · Navidrome · Navidrome

Name of the Vulnerable Software and Affected Versions: Navidrome versions prior to 0.56.0 Description: A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including...

navidrome -- transcoding permission bypass vulnerability

Deluan Quintão reports: A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings...

CVE-2022-23857

model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table which contains sensitive information such as the users...

GO-2025-3484 Navidrome allows an authentication bypass in Subsonic API with non-existent username in github.com/navidrome/navidrome

Navidrome allows an authentication bypass in Subsonic API with non-existent username in github.com/navidrome/navidrome...

Navidrome allows an authentication bypass in Subsonic API with non-existent username

Summary In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty salted password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error. Details A flaw...