Lucene search
K

159 matches found

Nuclei
Nuclei
added yesterday157 views

Navidrome <=0.54.5 - Authentication Bypass in Subsonic API

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

6.9CVSS6.2AI score0.00936EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/26 11:33 p.m.13 views

EUVD-2026-38067

Subsonic API: any authenticated user can delete or read any other user's playlist IDOR...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References3
OSV
OSV
added 2026/06/26 11:33 p.m.3 views

GHSA-HMGP-W9JM-VP95 Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)

Summary In gonic, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can: 1. Delete any playlist owned by any other user including admin by passing its id. 2. Read the full...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/26 11:32 p.m.12 views

EUVD-2026-38062

gonic: Path Traversal in playlist id bypasses ownership check, enabling any user to read/delete other users' playlists...

7.1CVSS5.8AI score0.00262EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/26 11:21 p.m.14 views

EUVD-2026-38068

gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host...

8.1CVSS5.9AI score0.00269EPSS
Exploits0References2
CVE
CVE
added 2026/06/19 7:11 p.m.31 views

CVE-2026-49340

gonic is a music streaming server / Subsonic API implementation. Before v0.21.0, a logic error in ServeCreateOrUpdatePlaylist lets any authenticated Subsonic user, including non-admins, write playlist M3U content to an attacker-controlled absolute filesystem path on the host and create intermedia...

8.1CVSS5.9AI score0.00269EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/19 7:8 p.m.5 views

CVE-2026-49338

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can delete...

7.1CVSS5.9AI score0.00168EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/06/19 7:8 p.m.21 views

CVE-2026-49338 Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can delete...

7.1CVSS0.00168EPSS
Exploits0References2
OSV
OSV
added 2026/06/19 7:8 p.m.4 views

CVE-2026-49338 Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can delete...

7.1CVSS6AI score0.00168EPSS
Exploits0References4
CVE
CVE
added 2026/06/19 7:8 p.m.26 views

CVE-2026-49338

The CVE covers gonic, a Subsonic-compatible music server. Before 0.21.0, Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view allowed any authenticated user to delete or read any other user’s private playlist due to missing per-resource authorization. The playlist ID is bas...

7.1CVSS5.9AI score0.00168EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/19 6:23 p.m.6 views

CVE-2026-49339

gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controll...

7.1CVSS6AI score0.00262EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.21 views

PT-2026-51012

Name of the Vulnerable Software and Affected Versions gonic versions prior to 0.21.0 Description The Subsonic API endpoints '/rest/deletePlaylist.view' and '/rest/getPlaylist.view' lack per-resource authorization. An authenticated user, regardless of privilege level, can delete any playlist or re...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.25 views

PT-2026-51013

Name of the Vulnerable Software and Affected Versions Gonic versions prior to 0.21.0 Description A logic error in the ServeCreateOrUpdatePlaylist function allows for arbitrary file write operations within the music streaming server. Recommendations Update to version 0.21.0 or later. As a temporar...

8.1CVSS5.9AI score0.00269EPSS
Exploits0References8
EUVD
EUVD
added 2025/10/07 12:30 a.m.7 views

EUVD-2017-18348

Malware in sbrugna...

8.8CVSS8.8AI score0.01776EPSS
Exploits5References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2018-20876

Malware in sbrugna...

6.1CVSS6.3AI score0.00675EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2018-6584

Malware in sbrugna...

6.1CVSS6.3AI score0.00675EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2017-18349

Malware in sbrugna...

8.8CVSS8.7AI score0.15676EPSS
Exploits5References5
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2018-6582

Malware in sbrugna...

6.1CVSS6.3AI score0.00675EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2018-6585

Malware in sbrugna...

6.1CVSS6.3AI score0.00675EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2018-7754

Malware in sbrugna...

5.9CVSS5.9AI score0.00907EPSS
Exploits0References3
Rows per page
Query Builder