Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

navidrome — Vulnerabilities & Security Advisories 9

Browse all 9 CVE security advisories affecting navidrome. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Navidrome serves as a self-hosted music server and streamer, enabling users to manage and access personal music collections. Historically, it has faced vulnerabilities including remote code execution, cross-site scripting, and privilege escalation, with nine CVEs documented. Security concerns often stem from improper input validation and access control issues. While no major public incidents have been widely reported, the project maintains a moderate security posture due to its open-source nature and community-driven development. Regular updates address discovered vulnerabilities, though users should remain vigilant about applying patches promptly to mitigate potential risks associated with its web interface and API endpoints.

Top products by navidrome: navidrome
CVE IDTitleCVSSSeverityPublished
CVE-2026-25578 Navidrome is vulnerable to XSS via comment from song metadata — navidromeCWE-80 6.1 Medium2026-02-04
CVE-2026-25579 Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints — navidromeCWE-400 6.5AIMediumAI2026-02-04
CVE-2025-48949 Navidrome allows SQL Injection via role parameter — navidromeCWE-89 6.5AIMediumAI2025-05-30
CVE-2025-48948 Navidrome Transcoding Permission Bypass Vulnerability Report — navidromeCWE-863 4.3AIMediumAI2025-05-30
CVE-2025-27112 Navidrome has authentication bypass in Subsonic API with non-existent username — navidromeCWE-287 9.1 -2025-02-24
CVE-2024-56362 Navidrome Stores JWT Secret in Plaintext in navidrome.db — navidromeCWE-312 7.1 High2024-12-23
CVE-2024-47062 Multiple SQL Injections and ORM Leak in navidrome — navidromeCWE-89 9.1 -2024-09-20
CVE-2024-32963 Parameter Tampering vulnerability in Navidrome — navidromeCWE-200 4.2 Medium2024-05-01
CVE-2023-51442 Authentication bypass vulnerability in navidrome's subsonic endpoint — navidromeCWE-287 8.6 High2023-12-21

This page lists every published CVE security advisory associated with navidrome. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.