VDB

CESS-2026-25578

CESS-2026-25578 PUBLISHED CVSS 6.1 MEDIUM

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0.

Risk Scores

CVSS 3.1
6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Timeline

  • Feb 4, 2026 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›