CVE-2025-48949 — Vulnetix

CVE-2025-48949 PUBLISHED CVSS 8.899999618530273 HIGH

Navidrome allows SQL Injection via role parameter

EPSS 0.49% · 65.9th percentile

Risk Scores

CVSS 4.0

8.899999618530273

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

EPSS Score

0.49%

65.9th percentile

Affected Products

Vendor	Product	Versions
navidrome	navidrome	>= 0.55.0, < 0.56.0, 0.55.0, 0.55.0
github.com	navidrome/navidrome	0.55.0, 0.55.0

Exploit Intelligence

CIRCL seen: CVE-2025-48949 (circl-sighting)
https://github.com/navidrome/navidrome/security/advisories/GHSA-5wgp-vjxm-3x2r (circl)
https://github.com/navidrome/navidrome/commit/b19d5f0d3e079639904cac95735228f445c798b6 (circl)

Timeline

Jan 21, 1970 Security Advisory
May 29, 2025 CVE Published
May 30, 2025 PoC Published
May 31, 2025 EPSS Score
Jun 2, 2025 Coalition ESS Score
Jun 11, 2025 EPSS Score
Jun 22, 2025 EPSS Score
Jul 2, 2025 EPSS Score
Jul 13, 2025 EPSS Score
Jul 24, 2025 EPSS Score
Aug 4, 2025 EPSS Score
Aug 15, 2025 EPSS Score

References

Open in Interactive Console →

$ Console Community · 100/wk Open console ›