21 matches found
Navidrome <=0.54.5 - Authentication Bypass in Subsonic API
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...
CVE-2026-49338 Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can delete...
EUVD-2021-8696
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2021-21399
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic AP...
VulnCheck KEV: CVE-2025-27112
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...
CVE-2021-21399
Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For more details and...
FreeBSD : Navidrome -- Authentication bypass in Subsonic API (5ca2cafa-1f24-11f0-ab07-f8f21e52f724)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 5ca2cafa-1f24-11f0-ab07-f8f21e52f724 advisory. Deluan reports: In certain Subsonic API endpoints, authentication can be bypassed by using a non-existe...
GO-2025-3484 Navidrome allows an authentication bypass in Subsonic API with non-existent username in github.com/navidrome/navidrome
Navidrome allows an authentication bypass in Subsonic API with non-existent username in github.com/navidrome/navidrome...
CVE-2025-27112
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...
GHSA-C3P4-VM8F-386P Navidrome allows an authentication bypass in Subsonic API with non-existent username
Summary In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty salted password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error. Details A flaw...
Navidrome allows an authentication bypass in Subsonic API with non-existent username
Summary In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty salted password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error. Details A flaw...
Navidrome -- Authentication bypass in Subsonic API
Deluan reports: In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty salted password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error...
CVE-2025-27112
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...
EUVD-2025-5077
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...
CVE-2025-27112 Navidrome has authentication bypass in Subsonic API with non-existent username
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...
CVE-2025-27112 Navidrome has authentication bypass in Subsonic API with non-existent username
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...
CVE-2025-27112
Navidrome ≤0.54.5 is vulnerable to an authentication bypass in certain Subsonic API endpoints. A flaw in the authentication check allows an attacker to specify any non-existent username together with a salted hash of an empty password, making the request appear authenticated and granting read-onl...
CVE-2025-27112 Navidrome has authentication bypass in Subsonic API with non-existent username
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...
CVE-2021-21399
Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For more details and...
Design/Logic Flaw
Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For more details and...