6 matches found
CVE-2026-25578
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...
CVE-2026-25578
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...
GHSA-RH3R-8PXM-HG4W Navidrome has XSS via comment from song metadata
Summary An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. An attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability. Details The frontend is using React. In...
Navidrome has XSS via comment from song metadata
Summary An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. An attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability. Details The frontend is using React. In...
PT-2026-6325
Name of the Vulnerable Software and Affected Versions Navidrome versions prior to 0.60.0 Description Navidrome is a web-based music collection server and streamer. A cross-site scripting issue exists in the frontend that allows a malicious attacker to inject code through the comment metadata of a...
PT-2024-39871 · Unknown · Download Plugin
Name of the Vulnerable Software and Affected Versions: Download Plugin versions up to, and including, 2.2.0 Description: The issue allows authenticated attackers with Subscriber-level access and above to download any comment and metadata for any user, including sensitive information such as...