Navidrome Security Vulnerabilities and Issues — Navidrome CVE List

Lucene search

NavidromeNavidrome

9 matches found

CVE•added 2025/02/24 7:15 p.m.•180 views

CVE-2025-27112

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, a...

6.9CVSS7.2AI score0.10184EPSS

CVE•added 2022/01/24 2:15 a.m.•80 views

CVE-2022-23857

model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users'...

6.5CVSS6.5AI score0.00217EPSS

CVE•added 2024/12/23 6:15 p.m.•80 views

CVE-2024-56362

Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This...

7.1CVSS6.8AI score0.00018EPSS

CVE•added 2023/12/21 3:15 p.m.•64 views

CVE-2023-51442

Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token (JWT) signed wit...

8.6CVSS8.8AI score0.00223EPSS

CVE•added 2024/09/20 7:15 p.m.•64 views

CVE-2024-47062

Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like password=... in the URL (ORM Leak). Furthermore, the names of the parameters are not p...

9.4CVSS7AI score0.49898EPSS

CVE•added 2025/05/30 8:15 p.m.•46 views

CVE-2025-48949

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially ga...

9.3CVSS7.4AI score0.00084EPSS

CVE•added 2024/05/01 7:15 a.m.•44 views

CVE-2024-32963

Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values...

4.2CVSS6.5AI score0.00054EPSS

CVE•added 2025/05/30 8:15 p.m.•42 views

CVE-2025-48948

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modify...

8.7CVSS6.7AI score0.00054EPSS

CVE•added 2024/08/01 9:15 p.m.•35 views

CVE-2024-41259

Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account information.

9.1CVSS6.9AI score0.00189EPSS