Navidrome

Navidrome

11 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2026-25578

Exploit
  • EPSS 0.01%
  • Veröffentlicht 04.02.2026 21:58:42
  • Zuletzt bearbeitet 18.02.2026 19:03:44

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate ...

6.5

CVE-2026-25579

Exploit
  • EPSS 0.05%
  • Veröffentlicht 04.02.2026 21:58:23
  • Zuletzt bearbeitet 18.02.2026 19:01:54

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/s...

9.8

CVE-2025-48949

  • EPSS 0.12%
  • Veröffentlicht 30.05.2025 19:40:51
  • Zuletzt bearbeitet 26.08.2025 14:12:51

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this...

6.5

CVE-2025-48948

Exploit
  • EPSS 0.07%
  • Veröffentlicht 30.05.2025 19:25:41
  • Zuletzt bearbeitet 26.08.2025 14:17:42

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding con...

6.5

CVE-2025-27112

Exploit
  • EPSS 12.88%
  • Veröffentlicht 24.02.2025 19:15:14
  • Zuletzt bearbeitet 27.02.2025 20:18:12

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitr...

5.5

CVE-2024-56362

  • EPSS 0.04%
  • Veröffentlicht 23.12.2024 18:15:07
  • Zuletzt bearbeitet 26.08.2025 01:56:50

Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access t...

8.8

CVE-2024-47062

Exploit
  • EPSS 86.16%
  • Veröffentlicht 20.09.2024 19:15:16
  • Zuletzt bearbeitet 26.08.2025 17:45:51

Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak)....

9.1

CVE-2024-41259

  • EPSS 0.19%
  • Veröffentlicht 01.08.2024 21:15:36
  • Zuletzt bearbeitet 26.08.2025 01:16:30

Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account information.

4.2

CVE-2024-32963

Exploit
  • EPSS 0.39%
  • Veröffentlicht 01.05.2024 07:15:40
  • Zuletzt bearbeitet 26.08.2025 18:52:40

Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. Th...

8.6

CVE-2023-51442

Exploit
  • EPSS 0.3%
  • Veröffentlicht 21.12.2023 15:15:13
  • Zuletzt bearbeitet 21.11.2024 08:38:07

Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known accou...