cbcvebase.

Github.Com Navidrome Navidrome vulnerabilities

11 known vulnerabilities affecting github.com/navidrome_navidrome.

Total CVEs
11
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL2HIGH4MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2025-27112P1MEDIUMExploitedPoC≥ 0.52.0, < 0.54.52025-02-25
CVE-2025-27112 [MEDIUM] CWE-287 Navidrome allows an authentication bypass in Subsonic API with non-existent username Navidrome allows an authentication bypass in Subsonic API with non-existent username ### Summary In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty (salted) password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error. ### De
ghsaosv
CVE-2024-47062P2CRITICALPoC≥ 0, < 0.53.02024-09-20
CVE-2024-47062 [CRITICAL] CWE-89 Navidrome has Multiple SQL Injections and ORM Leak Navidrome has Multiple SQL Injections and ORM Leak # Security Advisory: Multiple Vulnerabilities in Navidrome ## Summary Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username
ghsaosv
CVE-2025-48949P3HIGH≥ 0.55.0, < 0.56.02025-05-29
CVE-2025-48949 [HIGH] CWE-89 Navidrome allows SQL Injection via role parameter Navidrome allows SQL Injection via role parameter ## 🛡 **Security Advisory: SQL Injection Vulnerability in Navidrome v0.55.2** ### **Overview** This vulnerability arises due to improper input validation on the **`role`** parameter within the API endpoint **`/api/artist`**. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromisin
ghsaosv
CVE-2023-51442P3HIGH≥ 0, < 0.50.22023-12-19
CVE-2023-51442 [HIGH] CWE-287 Authentication bypass vulnerability in navidrome's subsonic endpoint Authentication bypass vulnerability in navidrome's subsonic endpoint ### Summary A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token (JWT) signed with the key "not so secret". The vulnerability can only be exploited on instances that have neve
ghsaosv
CVE-2024-41259P3MEDIUM≥ 0, ≤ 0.52.32024-08-01
CVE-2024-41259 [MEDIUM] CWE-200 Navidrome uses MD5 hashing algorithm Navidrome uses MD5 hashing algorithm Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account information.
ghsaosv
CVE-2022-23857P3MEDIUM≥ 0, < 0.47.52022-01-27
CVE-2022-23857 [MEDIUM] CWE-89 SQL injection in github.com/navidrome/navidrome SQL injection in github.com/navidrome/navidrome model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users' encrypted passwords).
ghsaosv
CVE-2025-48948P3HIGH≥ 0, < 0.56.02025-05-29
CVE-2025-48948 [HIGH] CWE-863 Navidrome Transcoding Permission Bypass Vulnerability Report Navidrome Transcoding Permission Bypass Vulnerability Report ### Summary A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. ### Details Navidrome supports transcoding functionality which, although disabled by d
ghsaosv
CVE-2026-25579P3CRITICAL≥ 0, < 0.60.02026-02-04
CVE-2026-25579 [CRITICAL] CWE-400 Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/` endpoints ### Summary Authenticated users can crash the Navidrome server by supplying an excessively large `size` parameter to `/rest/getCoverArt` or to a shared-image URL (`/share/img
ghsaosv
CVE-2026-25578P4MEDIUM≥ 0, < 0.60.02026-02-04
CVE-2026-25578 [MEDIUM] CWE-79 Navidrome has XSS via comment from song metadata Navidrome has XSS via comment from song metadata ### Summary An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. An attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability. ### Details The frontend is using React. In various places, the code uses the `dangerouslySetInnerHTML` e
ghsaosv
CVE-2024-56362P4HIGH≥ 0, < 0.54.12024-12-23
CVE-2024-56362 [HIGH] CWE-312 Navidrome Stores JWT Secret in Plaintext in navidrome.db Navidrome Stores JWT Secret in Plaintext in navidrome.db Navidrome stores the JWT secret in plaintext in the `navidrome.db` database file under the `property` table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. The JWT secret is critical for the authentication and authorization system. If exposed, an attacker could: - Forge valid tokens to i
ghsaosv
CVE-2024-32963P4MEDIUM≥ 0, < 0.52.02024-05-01
CVE-2024-32963 [MEDIUM] CWE-200 Navidrome Parameter Tampering vulnerability Navidrome Parameter Tampering vulnerability ### Summary Parameter tampering is a vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. ### Details The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and p
ghsaosv
Github.Com Navidrome Navidrome vulnerabilities | cvebase