Lucene search
K

25 matches found

Nuclei
Nuclei
added yesterday158 views

Navidrome <=0.54.5 - Authentication Bypass in Subsonic API

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

6.9CVSS6.2AI score0.00936EPSS
Exploits1References1
OSV
OSV
added 2026/06/26 11:33 p.m.3 views

GHSA-HMGP-W9JM-VP95 Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)

Summary In gonic, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can: 1. Delete any playlist owned by any other user including admin by passing its id. 2. Read the full...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References4
OSV
OSV
added 2026/06/19 7:8 p.m.4 views

CVE-2026-49338 Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can delete...

7.1CVSS6AI score0.00168EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/19 7:8 p.m.22 views

CVE-2026-49338 Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can delete...

7.1CVSS0.00168EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/19 6:23 p.m.6 views

CVE-2026-49339

gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controll...

7.1CVSS6AI score0.00262EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.25 views

PT-2026-51013

Name of the Vulnerable Software and Affected Versions Gonic versions prior to 0.21.0 Description A logic error in the ServeCreateOrUpdatePlaylist function allows for arbitrary file write operations within the music streaming server. Recommendations Update to version 0.21.0 or later. As a temporar...

8.1CVSS5.9AI score0.00269EPSS
Exploits0References8
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2021-8696

Malicious code in bioql PyPI...

9.1CVSS7.9AI score0.01438EPSS
Exploits1References1
Tenable Nessus
Tenable Nessus
added 2025/09/10 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2021-21399

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic AP...

9.1CVSS7.3AI score0.01438EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2025/06/24 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-27112

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

6.9CVSS5.9AI score0.00936EPSS
In wildExploits1References46
RedhatCVE
RedhatCVE
added 2025/05/22 7:10 p.m.6 views

CVE-2021-21399

Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For more details and...

9.1CVSS7AI score0.01438EPSS
Exploits1References1
Tenable Nessus
Tenable Nessus
added 2025/04/22 12:0 a.m.8 views

FreeBSD : Navidrome -- Authentication bypass in Subsonic API (5ca2cafa-1f24-11f0-ab07-f8f21e52f724)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 5ca2cafa-1f24-11f0-ab07-f8f21e52f724 advisory. Deluan reports: In certain Subsonic API endpoints, authentication can be bypassed by using a non-existe...

6.9CVSS5.5AI score0.00936EPSS
Exploits1References3
OSV
OSV
added 2025/03/03 7:22 p.m.15 views

GO-2025-3484 Navidrome allows an authentication bypass in Subsonic API with non-existent username in github.com/navidrome/navidrome

Navidrome allows an authentication bypass in Subsonic API with non-existent username in github.com/navidrome/navidrome...

6.9CVSS6.7AI score0.00936EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2025/02/26 7:23 p.m.18 views

CVE-2025-27112

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

6.9CVSS7.1AI score0.00936EPSS
Exploits1References1
OSV
OSV
added 2025/02/25 5:49 p.m.16 views

GHSA-C3P4-VM8F-386P Navidrome allows an authentication bypass in Subsonic API with non-existent username

Summary In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty salted password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error. Details A flaw...

6.9CVSS7AI score0.00936EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2025/02/25 5:49 p.m.33 views

Navidrome allows an authentication bypass in Subsonic API with non-existent username

Summary In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty salted password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error. Details A flaw...

6.9CVSS7.4AI score0.00936EPSS
Exploits1References5Affected Software1
FreeBSD
FreeBSD
added 2025/02/25 12:0 a.m.8 views

Navidrome -- Authentication bypass in Subsonic API

Deluan reports: In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty salted password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error...

6.9CVSS7.7AI score0.00936EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2025/02/24 7:15 p.m.4 views

CVE-2025-27112

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

6.9CVSS7.2AI score0.00936EPSS
Exploits1References2
OSV
OSV
added 2025/02/24 6:37 p.m.16 views

CVE-2025-27112 Navidrome has authentication bypass in Subsonic API with non-existent username

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

6.9CVSS6.9AI score0.00936EPSS
Exploits1References4
Cvelist
Cvelist
added 2025/02/24 6:37 p.m.59 views

CVE-2025-27112 Navidrome has authentication bypass in Subsonic API with non-existent username

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

6.9CVSS0.00936EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/02/24 6:37 p.m.22 views

CVE-2025-27112 Navidrome has authentication bypass in Subsonic API with non-existent username

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

6.9CVSS6.9AI score0.00936EPSS
Exploits1References2
Rows per page
Query Builder