CVE-2026-25578

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...

Navidrome has XSS via comment from song metadata

Summary An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. An attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability. Details The frontend is using React. In...

GHSA-RH3R-8PXM-HG4W Navidrome has XSS via comment from song metadata

Summary An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. An attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability. Details The frontend is using React. In...

SUSE CVE-2009-1438

Integer overflow in the CSoundFile::ReadMed function src/loadmed.cpp in libmodplug before 0.8.6, as used in gstreamer-plugins, TTPlayer, and other products, allows context-dependent attackers to execute arbitrary code via a MED file with a crafted 1 song comment or 2 song name, which triggers a...

DEBIAN-CVE-2009-1438

Integer overflow in the CSoundFile::ReadMed function src/loadmed.cpp in libmodplug before 0.8.6, as used in gstreamer-plugins, TTPlayer, and other products, allows context-dependent attackers to execute arbitrary code via a MED file with a crafted 1 song comment or 2 song name, which triggers a...

VulnCheck KEV: CVE-2009-1438

Integer overflow in the CSoundFile::ReadMed function src/loadmed.cpp in libmodplug before 0.8.6, as used in gstreamer-plugins, TTPlayer, and other products, allows context-dependent attackers to execute arbitrary code via a MED file with a crafted 1 song comment or 2 song name, which...