158 matches found
EUVD-2025-5077
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...
CVE-2025-27112 Navidrome has authentication bypass in Subsonic API with non-existent username
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...
CVE-2025-27112
Navidrome ≤0.54.5 is vulnerable to an authentication bypass in certain Subsonic API endpoints. A flaw in the authentication check allows an attacker to specify any non-existent username together with a salted hash of an empty password, making the request appear authenticated and granting read-onl...
GO-2023-2414 Authentication bypass vulnerability in navidrome's subsonic endpoint in github.com/navidrome/navidrome
Authentication bypass vulnerability in navidrome's subsonic endpoint in github.com/navidrome/navidrome...
CVE-2023-51442
Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token JWT signed wit...
CVE-2023-51442
Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token JWT signed wit...
Authentication flaw
Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token JWT signed wit...
CVE-2023-51442 Authentication bypass vulnerability in navidrome's subsonic endpoint
Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token JWT signed wit...
CVE-2023-51442 Authentication bypass vulnerability in navidrome's subsonic endpoint
Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token JWT signed wit...
CVE-2023-51442
Navidrome vulnerability CVE-2023-51442 affects the subsonic authentication endpoint. A JWT signed with the hardcoded key "not so secret" can bypass authentication on instances that have never been restarted, potentially granting access to existing user accounts via the /rest/ endpoint. The issue ...
Authentication bypass vulnerability in navidrome's subsonic endpoint
Summary A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token JWT signed with the key "not so secret". The vulnerability can only be exploited o...
GHSA-WQ59-4Q6R-635R Authentication bypass vulnerability in navidrome's subsonic endpoint
Summary A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token JWT signed with the key "not so secret". The vulnerability can only be exploited o...
PT-2023-31832 · Navidrome · Navidrome
Name of the Vulnerable Software and Affected Versions: Navidrome versions prior to 0.50.2 Description: A security issue has been identified in Navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web...
Subsonic Server Side Request Forgery (CVE-2017-9355)
A vulnerability exists in Subsonic. Successful exploitation of this vulnerability could allow a remote attacker to damage users system...
CVE-2021-21399
Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For more details and...
UBUNTU-CVE-2021-21399
Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For more details and...
Design/Logic Flaw
Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For more details and...
CVE-2021-21399 Unauthenticated SubSonic backend access in Ampache
Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For more details and...
PT-2021-14476 · Ampache · Ampache
Name of the Vulnerable Software and Affected Versions: Ampache versions prior to 4.4.1 Description: The issue allows unauthenticated access to Ampache using the subsonic API. To exploit this, an attacker must use a username that is not part of the site to bypass the auth checks. Recommendations:...
CVE-2018-20228
Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF...