CVE-2026-25578

CVE-2026-25578

Name

CVE-2026-25578

Description

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6
security-advisories@github.com	https://github.com/navidrome/navidrome/releases/tag/v0.60.0
security-advisories@github.com	https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w

Type

URI

security-advisories@github.com

https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6

security-advisories@github.com

https://github.com/navidrome/navidrome/releases/tag/v0.60.0

security-advisories@github.com

https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:navidrome:navidrome::::::::`	navidrome	>= None	< 0.60.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*

navidrome

>= None

< 0.60.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
navidrome	edge-community	0.59.0-r2	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.59.0-r1	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.59.0-r0	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.58.5-r1	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.58.5-r0	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.58.0-r3	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.58.0-r2	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.58.0-r1	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.58.0-r0	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.57.0-r2	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.57.0-r1	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.57.0-r0	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.56.1-r0	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.55.2-r1	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.55.2-r0	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.54.5-r2	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.54.5-r1	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.54.5-r0	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.54.4-r2	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.54.4-r1	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.54.4-r0	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.53.3-r1	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.53.3-r0	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	edge-community	0.47.5-r0	None	possibly vulnerable
navidrome	3.23-community	0.58.5-r6	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	3.23-community	0.58.5-r5	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	3.23-community	0.58.5-r4	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	3.23-community	0.58.5-r3	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	3.23-community	0.58.5-r2	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable
navidrome	3.23-community	0.58.5-r1	Tom Lebreux <me@tomlebreux.com>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages