📦 Navidrome

CVE-2025-48949 is a critical SQL injection vulnerability in Navidrome music server affecting versions 0.55.0 through 0.55.2. Attackers can exploit improper input validation in the API's role parameter...

CVE-2024-41259 is a vulnerability in Navidrome v0.52.3 where Gravatar's service uses an insecure hashing algorithm, allowing attackers to manipulate user account information. This affects all users of...

Navidrome versions before 0.54.1 store JWT secrets in plaintext in the database file, allowing anyone with database access to steal authentication tokens. This affects all Navidrome installations usin...

This vulnerability allows attackers to bypass authentication in Navidrome's subsonic endpoint using a JWT signed with a hardcoded key. It affects all Navidrome instances running versions before 0.50.2...

Navidrome versions before 0.60.0 contain a cross-site scripting vulnerability in the frontend that allows attackers to inject malicious code through song comment metadata. This could lead to credentia...

This vulnerability allows authenticated users to crash Navidrome servers by sending requests with excessively large size parameters to image endpoints. Attackers can trigger uncontrolled memory growth...

CVE-2025-48948 is an authorization bypass vulnerability in Navidrome music server where authenticated regular users can perform administrator-only transcoding configuration operations. This allows una...