Login Sign Up

CVE-2026-25578

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

Navidrome versions before 0.60.0 contain a cross-site scripting vulnerability in the frontend that allows attackers to inject malicious code through song comment metadata. This could lead to credential theft from authenticated users. Anyone running Navidrome servers with the vulnerable version is affected.

💻 Affected Systems

Products:
  • Navidrome
Versions: All versions prior to 0.60.0
Operating Systems: All platforms running Navidrome
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with the vulnerable frontend are affected regardless of configuration.

📦 What is this software?

Navidrome by Navidrome

View all CVEs affecting Navidrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator credentials, gain full control of the Navidrome server, and potentially compromise the underlying host system.

🟠

Likely Case

Attackers steal user session cookies or credentials, gaining unauthorized access to music libraries and potentially using the server for further attacks.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing credential theft.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (viewing malicious song metadata) but the XSS injection itself is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.60.0

Vendor Advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w

Restart Required: Yes

Instructions:

1. Backup your Navidrome configuration and database. 2. Stop the Navidrome service. 3. Update to version 0.60.0 using your package manager or by downloading from GitHub releases. 4. Restart the Navidrome service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable user comments

all

Remove or disable the comment metadata field functionality if possible in your configuration

Implement WAF rules

all

Add web application firewall rules to block script injection patterns in metadata fields

🧯 If You Can't Patch

  • Isolate the Navidrome server from sensitive networks and limit user access
  • Implement strict Content Security Policy headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check your Navidrome version - if it's below 0.60.0, you are vulnerable

Check Version:

Check the Navidrome web interface settings page or run: navidrome --version

Verify Fix Applied:

After updating, verify the version is 0.60.0 or higher and test that script tags in comment metadata are properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual metadata updates with script tags or JavaScript code in comment fields
  • Multiple failed login attempts from unexpected locations

Network Indicators:

  • Outbound connections to suspicious domains from the Navidrome server
  • Unexpected data exfiltration patterns

SIEM Query:

source="navidrome" AND (message="*<script>*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2026-25578
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
CWE: CWE-79
EPSS Score: 0.02% exploit probability (4.3th percentile)
Published: February 4, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25578, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)