6 matches found
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the comment field in song metadata. An attacker can execute arbitrary JavaScript in the context of the user's browser by injecting malicious content into this field. Details Cross-site scripting or XSS is a...
GO-2026-4413 Navidrome has XSS via comment from song metadata in github.com/navidrome/navidrome
Navidrome has XSS via comment from song metadata in github.com/navidrome/navidrome...
CVE-2026-25578 Navidrome is vulnerable to XSS via comment from song metadata
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...
CVE-2026-25578
Navidrome is vulnerable to a frontend cross-site scripting (XSS) flaw via the song metadata comment field. A maliciously crafted comment can exfiltrate user credentials or API tokens from the Navidrome UI. Affected version range is prior to 0.60.0; the issue has been mitigated/patched in 0.60.0. ...
CVE-2026-25578 Navidrome is vulnerable to XSS via comment from song metadata
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...
CVE-2026-25578 Navidrome is vulnerable to XSS via comment from song metadata
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...